Research: Attacks on HTML5-based apps infect smartphones, spread like a 'worm'

Syracuse University researchers warn that apps based on HTML5 can put smartphones at risk of being tracked and spreading the infection through their contacts.

By 2016, experts estimate that over 50% of mobile apps will be based on HTML5 technology and coded, at least partially, in JavaScript. Apps are usually written in a language native to a specific platform, but developers only need to create one HTML5-based app and it runs on any platform. While that's handy for app developers, it's also "just a disaster waiting to happen," according to Syracuse University Professor Kevin Du.

"Imagine you're at the airport and you want to find the free Wi-Fi. When you scan, your phone is going to display the Wi-Fi access points. That could be an easy channel for a hacker to inject malicious worm code into your smartphone," Du says. "Once the worm takes control, it can duplicate itself, and send copies to your friends via SMS messages, multimedia file sharing, and other methods."

Du and a team of researchers from the College of Engineering and Computer Science at Syracuse University are warning about Cross-Device Scripting (XDS) attacks on smartphones if apps are based on HTML5. Details of the attacks are in the research paper "XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps" (pdf), which will be presented at the Mobile Security Technologies (MoST) workshop in May.

To help even technically challenged folks grasp the risks, the team put together video examples demonstrating the following four attack scenarios:

  • If you are at an Airport, and scan for free Wi-Fi access points using an HTML5-based app, you may be attacked.
  • If you receive an SMS message, and use an HTML5-based app to read the message, you may be attacked.
  • If you play an MP3 song or music using an HTML5-based app, you may be attacked.
  • If you scan a 2D barcode using an HTML5-based app, you may be attacked.

Put another way, even basic activities like listening to music, watching a video, opening an image, sending a text message, or scanning for Wi-Fi can leave smartphones "vulnerable to harmful 'computer worms'." If an attacker injects malicious code into a victim's smartphone, it doesn't end there. The researchers warned (pdf), "It can be spread to other people's phones like a worm. The more popular the technology becomes, the more quickly a worm can spread." All major mobile platforms "will be affected, including Android, iOS, Blackberry, Windows Phone, etc., because they all support HTML5-based mobile apps."

Have you ever scanned a QR code with your phone? If yes, then your phone can be pwned, the researchers cited as just one example of how attackers could inject malicious JavaScript into a victim's device. In fact, Du explained how scanning a barcode allows an attacker to inject malicious code and then track the victim's movements on a map. Other exploitable external data channels include text messages, NFC tags, FM radio, Bluetooth pairing, Wi-Fi access point scanning, barcode scanning, MP3s songs, MP4 videos, and JPEG images.

Attackers could also use internal data channels, meaning channels "used by another app on the same device to inject malicious JavaScript code into a vulnerable HTML5-based apps." Examples include profiles, contact list, calendar, external storage and more.

"As long as an HTML5-based app displays information obtained from outside or from another app, it may be a potential victim," they warned. It also depends upon the choice of JavaScript API being used to display the data. Yet the researchers found "that the use of safe APIs is not common." The most popular framework for HTML5-based app development is PhoneGap; it and others are vulnerable.

Xing Jin is a doctoral candidate at SU who has worked with Du on software security for the past year and a half. Jin said, “Professor Du always said, ‘You need to have an evil mind, but have a good heart'. I would like to use my knowledge to help the systems developer. I would like to see my work implemented within Samsung’s technology to benefit the greater good."

So far, the Syracuse team has "identified 14 vulnerable HTML5-based apps from three types of mobile systems, including Android, iOS and Blackberry. Developers of those vulnerable apps have been informed and in an effort to give them time to fix the problem, researchers have decided not to disclose the names of the vulnerable apps."

There is one simple solution; don't use apps based on HTML5. The researchers said, "If the app is written using the language native to the platform (e.g. Java for Android and Object-C for iOS), it is immune to this type of attacks."

I encourage you to watch the plethora of videos showing the attacks, the one showing how to track the victim's location, and/or the longer version embedded above about code injection attacks on HTML5 apps. It's interesting work. You can also read the research, "XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps" (pdf), before it hits the "mainstream" at the Mobile Security Technologies conference in May.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2014 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022