HTML5 Hole Puts Smartphones at Risk

Wednesday, April 2, 2014 @ 07:04 PM gHale

Only a fraction of mobile apps are currently written in HTML5, but there is a vulnerability in the code that could cause big problems as more applications start to use the mark-up language.

With experts estimating 50 percent of applications will end up written in the markup language by 2016, then a boatload of smartphones could be at risk of a new Cross-Device Scripting (XDS) attack.

Android Devices Preloaded with Malware
Android Malware Using TOR
Botnet uses Tor as a Hideout
Details Revealed in Crash Reports

Anyone running vulnerable HTML5-based apps on their smartphones – including iPhones, Blackberry’s and Android-based devices – is at risk of malicious code injection, said Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang Du, researchers with Syracuse University, in a paper entitled, “XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps.”

Attackers can inject the malicious code through a number of different commonly used channels, including Wi-Fi scanning, SMS messaging, scanning of 2D barcodes, Bluetooth pairing, and even through the playing of MP3 audio or MP4 videos, Du said.

If a compromised 2D barcode ended up scanned using an HTML5-based app, then that app would suffer a compromise. However, playing a compromised MP3 file in an app running in the device’s native programming language – Android-based devices use JavaScript and iOS devices use Objective-C – would result in no compromise.

The injection via Wi-Fi scanning does not require a user to connect to the attacker’s network, just to locate it using a vulnerable HTML5-based app, Du said, explaining an attacker can circumvent the 32 byte length limitation and inject more effective malicious code by using multiple Wi-Fi access points.

Another tough element to the attack is it will send malicious code to contacts via SMS if granted access to a user’s address book, Du said, explaining any of those contacts running an HTML5-based SMS app will become at risk of a compromise.

After injecting the malicious code, an attacker has access to just about anything the compromised mobile application has access to, Du said. Right now that may really only include access to SMS messages, location data and address books, given the HTML5-based apps currently in use, but that is bound to change as the programming language is more widely adopted.

“HTML5 allows [developers] to write one version of code that can be used across platforms,” Du said, explaining the time-saving technology has already proven attractive to developers and is being taught in schools. “Today [it may not be as] relevant, but two years from now, if many people have these kinds of [HTML5-based] apps, it’s likely that this will spread, and that’s where the problems will come.”

Du could not reveal the name of one vulnerable app he said users have downloaded more than a million times, but he explained his team has alerted the app developer of the HTML5 issues and the company is exploring a fix.

Meanwhile, the Syracuse University researchers are also still exploring ways to mitigate this threat, Du said, but as of now, he suggested using one of the safer application programming interfaces (API) listed in the research as a good start.

Leave a Reply

You must be logged in to post a comment.