Papers

ABSTRACT

HTML5-based mobile apps become more and more popu-lar, mostly because they are much easier to be ported across different mobile platforms than native apps. HTML5-basedapps are implemented using the standard web technologies, including HTML5, JavaScript and CSS; they depend on some middlewares, such as PhoneGap, to interact with the under- lying OS. Knowing that JavaScript is subject to code injection at- tacks, we have conducted a systematic study on HTML5- based mobile apps, trying to evaluate whether it is safe to rely on the web technologies for mobile app development. Our discoveries are quite surprising. We found out that if HTML5-based mobile apps become popular–it seems to go that direction based on the current projection–many of the things that we normally do today may become dangerous, including reading from 2D barcodes, scanning Wi-Fi access points, playing MP4 videos, pairing with Bluetooth devices, etc. This paper describes how HTML5-based apps can be- come vulnerable, how attackers can exploit their vulnerabil- ities through a variety of channels, and what damage can be achieved by the attackers. In addition to demonstrating the attacks through example apps, we have studied 186 Phone- Gap plugins, used by apps to achieve a variety of functionali- ties, and we found that 11 are vulnerable. We also found two real HTML5-based apps that are vulnerable to the  attacks.

Comments are closed.