publication . Part of book or chapter of book . Preprint . Conference object . 2014

Analyzing Android Browser Apps for file:// Vulnerabilities

Wu, D.; Kow Chuen Rocky CHANG;
Open Access
  • Published: 17 Apr 2014
  • Publisher: Springer International Publishing
Abstract
Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as FileCross, that exploits the vulnerable file:// to obtain users' private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and M...
Subjects
free text keywords: Computer Science - Cryptography and Security
Download fromView all 3 versions
http://arxiv.org/pdf/1404.4553...
Part of book or chapter of book
Provider: UnpayWall
http://link.springer.com/conte...
Part of book or chapter of book . 2014
Provider: Crossref
28 references, page 1 of 2

1. Terada, T.: Chrome for Android download function information disclosure. https: //code.google.com/p/chromium/issues/detail?id=144820

2. Terada, T.: Chrome for Android bypassing SOP for local les by symlinks. https: //code.google.com/p/chromium/issues/detail?id=144866

3. Terada, T.: Mfsa 2013-84: Same-origin bypass through symbolic links. http: //www.mozilla.org/security/announce/2013/mfsa2013-84.html

4. W3C: Xmlhttprequest. http://www.w3.org/TR/XMLHttpRequest/

5. DroidLife: Android distribution. http://www.droid-life.com/tag/ distribution/

6. Android: Category browsable. http://developer.android.com/reference/ android/content/Intent.html#CATEGORY_BROWSABLE

7. Android: MonkeyRunner. http://developer.android.com/tools/help/ monkeyrunner_concepts.html

8. Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: SMV-Hunter: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps. In: Proc. ISOC NDSS. (2014) [OpenAIRE]

9. Selenium: Selenium - web browser automation. http://docs.seleniumhq.org/

10. Rastogi, V., Chen, Y., Enck, W.: AppsPlayground: Automatic security analysis of smartphone applications. In: Proc. ACM CODASPY. (2013)

11. Dai, S., Tongaonkar, A., Wang, X., Antonio Nucci, D.S.: Networkpro ler: Towards automatic ngerprinting of Android apps. In: Proc. IEEE InfoCom. (2013) [OpenAIRE]

12. Anand, S., Naik, M., Harrold, M., Yang, H.: Automated concolic testing of smartphone apps. In: Proc. ACM FSE. (2012)

13. Machiry, A., Tahiliani, R., Naik, M.: Dynodroid: An input generation system for Android apps. In: Proc. ACM FSE. (2013) [OpenAIRE]

14. Hay, R.: Mfsa 2014-33: File: protocol links downloaded to sd card by default. http://www.mozilla.org/security/announce/2014/mfsa2014-33.html

15. Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the Android system. In: Proc. ACM ACSAC. (2011)

28 references, page 1 of 2
Abstract
Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as FileCross, that exploits the vulnerable file:// to obtain users' private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and M...
Subjects
free text keywords: Computer Science - Cryptography and Security
Download fromView all 3 versions
http://arxiv.org/pdf/1404.4553...
Part of book or chapter of book
Provider: UnpayWall
http://link.springer.com/conte...
Part of book or chapter of book . 2014
Provider: Crossref
28 references, page 1 of 2

1. Terada, T.: Chrome for Android download function information disclosure. https: //code.google.com/p/chromium/issues/detail?id=144820

2. Terada, T.: Chrome for Android bypassing SOP for local les by symlinks. https: //code.google.com/p/chromium/issues/detail?id=144866

3. Terada, T.: Mfsa 2013-84: Same-origin bypass through symbolic links. http: //www.mozilla.org/security/announce/2013/mfsa2013-84.html

4. W3C: Xmlhttprequest. http://www.w3.org/TR/XMLHttpRequest/

5. DroidLife: Android distribution. http://www.droid-life.com/tag/ distribution/

6. Android: Category browsable. http://developer.android.com/reference/ android/content/Intent.html#CATEGORY_BROWSABLE

7. Android: MonkeyRunner. http://developer.android.com/tools/help/ monkeyrunner_concepts.html

8. Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: SMV-Hunter: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps. In: Proc. ISOC NDSS. (2014) [OpenAIRE]

9. Selenium: Selenium - web browser automation. http://docs.seleniumhq.org/

10. Rastogi, V., Chen, Y., Enck, W.: AppsPlayground: Automatic security analysis of smartphone applications. In: Proc. ACM CODASPY. (2013)

11. Dai, S., Tongaonkar, A., Wang, X., Antonio Nucci, D.S.: Networkpro ler: Towards automatic ngerprinting of Android apps. In: Proc. IEEE InfoCom. (2013) [OpenAIRE]

12. Anand, S., Naik, M., Harrold, M., Yang, H.: Automated concolic testing of smartphone apps. In: Proc. ACM FSE. (2012)

13. Machiry, A., Tahiliani, R., Naik, M.: Dynodroid: An input generation system for Android apps. In: Proc. ACM FSE. (2013) [OpenAIRE]

14. Hay, R.: Mfsa 2014-33: File: protocol links downloaded to sd card by default. http://www.mozilla.org/security/announce/2014/mfsa2014-33.html

15. Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the Android system. In: Proc. ACM ACSAC. (2011)

28 references, page 1 of 2
Powered by OpenAIRE Research Graph
Any information missing or wrong?Report an Issue