Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Smartphones at risk of malicious code injection through HTML5-based apps

Only a fraction of mobile apps are currently written in HTML5 – but if 50 percent of applications are written in the markup language by 2016, as experts predict, then a whole lot of smartphones could soon be at risk of a new Cross-Device Scripting (XDS) attack that researchers have been investigating.

In the paper, “XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps,” Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang Du, researchers with Syracuse University, explore how anyone running vulnerable HTML5-based apps on their smartphones – including iPhones, Blackberry's and Android-based devices – is at risk of malicious code injection.

Attackers can inject the malicious code through a number of different commonly used channels, including Wi-Fi scanning, SMS messaging, scanning of 2D barcodes, Bluetooth pairing, and even through the playing of MP3 audio or MP4 videos, Du told SCMagazine.com on Monday.

So, if a compromised 2D barcode was scanned using an HTML5-based app, then that app would be compromised. However, playing a compromised MP3 file in an app running in the device's native programming language – Android-based devices use Java and iOS devices use Objective-C – would result in no compromise.

The injection via Wi-Fi scanning is particularly interesting because it does not require a user to connect to the attacker's network, just to locate it using a vulnerable HTML5-based app, Du said, explaining an attacker can circumvent the 32 byte length limitation and inject more effective malicious code by using multiple Wi-Fi access points.

Another particularly nasty element to the attack is that it will send malicious code to contacts via SMS if granted access to a user's address book, Du said, explaining that any of those contacts running an HTML5-based SMS app will become at risk of being compromised. 

After injecting the malicious code, an attacker has access to just about anything the compromised mobile application has access to, Du said. Right now that may really only include access to SMS messages, location data and address books, given the HTML5-based apps currently in use, but that is bound to change as the programming language is more widely adopted.

“HTML5 allows [developers] to write one version of code that can be used across platforms,” Du said, explaining that the time-saving technology has already proven attractive to developers and is being taught in schools. “Today [it may not be as] relevant, but two years from now, if many people have these kinds of [HTML5-based] apps, it's likely that this will spread, and that's where the problems will come.”

Du could not reveal the name of one vulnerable app that he said has been downloaded by more than a million users, but he explained that his team has alerted the app developer of the HTML5 issues and that the company is exploring a fix.

Meanwhile, the Syracuse University researchers are also still exploring ways to mitigate this threat, Du said, but as of now, he suggested using one of the safer application programming interfaces (API) listed in the research as a good start.

[An earlier version of this story incorrectly stated that the native programming language for Android is JavaScript].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.