Automated Generation of Event-Oriented Exploits in Android Hybrid Apps Guangliang Yang, Jeff Huang, and Guofei Gu Texas A&M University {ygl, jeffhuang, guofei}@tamu.edu Abstract—Recently more and more Android apps integrate the embedded browser, known as “WebView”, to render web pages VJRV`J$1JV and run JavaScript code without leaving these apps. WebView VG1V1 L:0: H`1] QRV provides a powerful feature that allows event handlers defined VJ1$J7G`1R ]] in the native context (i.e., Java in Android) to handle web events that occur in WebView. However, as shown in prior work, this VG0VJ V`0V` 9988 feature suffers from remote attacks, which we generalize as Event- V V VJ Oriented Exploit (EOE) in this paper, such that adversaries may remotely access local critical functionalities through event VGR: 10V `1R$V handlers in WebView without any permission or authentication. :0:^: 10V_0VJ :JRCV` V. V. 9988 V. In this paper, we propose a novel approach, EOEDroid, which J can automatically vet event handlers in a given hybrid app using selective symbolic execution and static analysis. If a vulnerability `1 1H:C%JH 1QJ:C1 1V is found, EOEDroid also automatically generates exploit code to ^V8$85% .85 V Q%`HV HHV 56VH% 1QJ_ help developers and analysts verify the vulnerability. To support exploit code generation, we also systematically study web events, JR`Q1R V01HV event handlers and their trigger constraints. We evaluated our approach on 3,652 most popular apps. The Figure 1: Attack Model result showed that our approach found 97 total vulnerabilities in 58 apps, including 2 cross-frame DOM manipulation, 53 phishing, 30 sensitive information leakage, 1 local resources access, and 11 native code, but the bridge is not protected in WebView. Intent abuse vulnerabilities. We also found a potential backdoor However, up to now it still remains unclear how adversaries in a high profile app that could be used to steal users’ sensitive involve the event handler feature in their attack vectors in information, such as IMEI. Even though developers attempted practice. A possible attack scenario is that an adversary may to close it, EOEDroid found that adversaries were still able to trigger an event handler with appropriate input to leverage its exploit it by triggering two events together and feeding event handlers with well designed input. internal critical functionalities. More details are shown in Figure 1. First, the adversary injects malicious HTML/JavaScript code into WebView through web or network attacks (Step 1). Then, I. INTRODUCTION the malicious code is executed and triggers a web event (Step More and more Android apps leverage the power of the 2). After that, the corresponding event handler in the native embedded browser, known as “WebView”, to render web pages code is called (Step 3). Finally, the event handler is guided by and run JavaScript code. In contrast to regular web browsers the injected input to execute its internal critical functionalities (such as desktop browsers), WebView is more powerful by (Step 4). providing a unique feature that allows event handlers defined in The above possibility is confirmed by our small-scale the native context (i.e., Java in Android) to handle web events empirical study of 100 popular hybrid apps collected from that occur in WebView. Google Play. We found that an event handler in an old This powerful feature of WebView significantly enriches but still popular advertisement (ad) library, “millennialmedia” the functionalities of Android apps. However, as shown in prior (version 5), contains rich and powerful functionalities, such as work [19], [26], such a feature also introduces potential security reading Android ID, recording audio and opening the camera. flaws. More specially, it opens a bridge that links web code to However, the access control on that event handler is weak. The internal critical functionalities can be utilized by triggering the associated web event and feeding it with appropriate input that follows the format “mmsdk://c1.c2?args=...&call back=...”, where c1 and c2 are the native functions to be Network and Distributed Systems Security (NDSS) Symposium 2018 accessed, args are the function’s parameters and callback is a 18-21 February 2018, San Diego, CA, USA ISBN 1-1891562-49-5 JavaScript function name to receive the execution result of the http://dx.doi.org/10.14722/ndss.2018.23236 native function. www.ndss-symposium.org In addition to the above scenario, another potential attack scenario is that a path to a critical functionality inside an event handler may be executed only under a specific program state, two ways to cover every ci to reach f. For convenience, we but such state may not be simply reached by only feeding that refer to the second case as event handler dependency, which event handler with arbitrary input. Instead, similar to return is defined as follows. If operands of a condition c0 in the path oriented programming based attacks [32], it is possible for p0 of an event handler eh0 can be influenced by the path p1 of adversaries to play web events as “gadgets” and change an another event handler eh1, we say eh0 depends on eh1 on c0 c0 app’s state. Assume the target program state is St. It may be (i.g., heh1; p1i −!heh0; p0i). This means that if adversaries reached through the transitions [S1!S2! ... !St], which first guide the app to execute p1, the program state related to could be achieved by triggering the sequence of web events c0 may be influenced, and then, the expected branch behind [E1!E2! ... !Et]. Hence, by following the above web event c0 may be taken. S chain, adversaries can still change the program state to t and The design of EOEDroid is depicted in Figure2. Given a execute the target critical functionality. target app, EOEDroid first employs selective symbolic execution For convenience, in this paper, we generalize all above to analyze all its event handlers, actively explore all interesting attacks as Event-Oriented Exploit (EOE). Due to EOE’s paths and identify critical functionalities. The path constraints powerful capabilities to access critical functionalities through of each interesting path are collected for further analysis. A event handlers, serious consequences may be caused, such significant difference with existing symbolic execution based as local resource access, users’ private data leakage and web techniques is that EOEDroid carefully handles all conditional cross-frame DOM manipulation. statements, including those whose associated operands are not Compared with existing attacks on Android (such as Trojan symbolic (i.e., concrete or constant). This is because those Attack [7]), EOE has multiple advantages. First, EOE does not conditional statements can provide hints to generate gadgets’ require any extra permissions. The malicious web code injected execution orders. by adversaries fully inherits the target apps’ permissions. To mitigate the notorious “path explosion” problem in Second, EOE does not require malicious payloads. Instead, symbolic execution, we use several heuristics (e.g., scanning the functionalities contained in event handlers are utilized. “interesting” APIs and instructions to discover interesting paths Furthermore, compared with existing attacks on WebView in Section V-B1). While these heuristics might cause over- (such as sidewinder targeted attack [38], fracking attack approximation and/or inaccuracy to our analysis, they help us [19], and code injection attack [24]), EOE is more practi- make a good tradeoff between performance and accuracy. In cal and feasible. Existing attacks usually require JavaScript addition, we propose new solutions to address the analysis and JavaScript-bridge to be enabled, but EOE has no such challenges raised by array-indexing type implicit flows as well requirements (Section V-A). Even only through HTML code as Android features and specifications such as unsupported and special HTTP(s) responses, adversaries can still trigger fork() [1] and inter-component communication (e.g., Android and leverage many event handlers, including the popular event Intent). handlers shouldOverrideUrlLoading(), which handles the URL Based on the results of selective symbolic execution, navigation event. EOEDroid then applies static analysis to discover program The impact of EOE to smartphone security is serious states that can lead to the execution of a critical functionality, considering the pervasive deployment of hybrid apps today. and generates input and execution order of event handlers to However, exiting techniques face significant challenges in reach the program state. The input of an event handler can be detecting and verifying apps against EOE. Static analysis suffers generated by solving its path constraints, and the execution from high false positives due to the lack of real data and order of event handlers can be constructed by solving the event context. In addition, the limitation of static analysis for handling handler dependency problem on those conditional statements Java reflection is exacerbated when the reflection operation is whose operands are not symbolic. combined with array-indexing type implicit flows, which occur Finally, EOEDroid generates exploit code by converting frequently when parsing the gadgets’ inputs. Dynamic analysis event handlers’ input and execution orders to gadgets’ (i.e., may have low false positives, but is prone to low code coverage. web events). If JavaScript code is required as gadgets’ input, Moreover, generating the required sequence of gadgets to reveal EOEDroid is also aware of its syntax and generates the required an EOE vulnerability is inherently challenging. code. Our Approach. In this paper, we present a systematic study Along with this, we conduct a systematic study of events, of EOE in Android hybrid apps together with a novel technique, event handlers, and their triggering code and constraints in EOEDroid, which can automatically analyze event handlers, WebView. We find that 37 web events are exposed to adversaries, detect exploitable critical functionalities, and further generate and the constraints on triggering events and event handlers are exploit code.