Securing Web-Native Bridge in Hybrid Mobile Apps

1. Securing Web-Native Bridge in Hybrid Mobile Apps By Sachinraj Shetty

2. Agenda • What is Hybrid Mobile App? • Role of Web-Native Bridge • Bypassing Sandbox and Same Origin Policy • Reflection based attacks • Securing the Bridge

3. Mobile App - Hybrid

4. Web-Native Bridge Native code: • public class WebViewActivity extends Activity { • WebViewmWebView; • public void onCreate(Bundle savedInstanceState) { • super.onCreate(savedInstanceState); • webView=new WebView(this); • setContentView(webView); • webView.getSettings().setJavaScriptEnabled(true); • webView.addJavascriptInterface( • new MyNativeClass(), ”mybridge"); • webView.loadUrl(http://192.168.1.10/demo.html); • } • public class MyNativeClass{ • public String writeStrToFile(String strText) { • //code to write the string to file goes here. • return “success”; • }} • }

5. Web-Native Bridge Web Layer code: <html> <body> <input type="button" value="Click Me" onClick=”mybridge.writeStrToFile(‘Hello World')" /> </body> <html>

6. Demo Attacking Web-Native Bridge

7. Mobile Ads I am NOT Malicious. CLICK ME.

8. Malicious Ads in News

9. Attacking the bridge using Java Reflection • Reflection is a Java feature that allows a program to access class information at runtime, and use this information to create new objects and invoke methods. This is widely used in Visual editors, Debuggers, Test tools. • Reflection can be used with the Web-Native bridge handler in JavaScript as shown below: Mybridge.getClass().forName("java.lang.Runtime").getMethod("getRuntime", null).invoke(null, null).exec(cmdArgs);

10. DemoAttacking bridge using Reflection

12. Securing the Bridge • Ensure only the needed permissions are provided in the App’s Manifest file. • Do not expose unnecessary native methods to the Web layer, thereby providing access to various system resources. • Preventing SOP bypass: • When app loads, native code generates a random number and creates a cookie for the domain with this random value. • Javascript web component reads the cookie for the domain and retrieves the random value. • JS passes this random value as a parameter to the bridge call. • The native code validates if the random value passed to the bridge is same as the one it created during load time. If same it continues with the bridge call, else it returns.

13. Securing the Bridge • Supported in Android ver 4.2 and later @JavascriptInterface public void exposedMethod(String toast) { … } • Have the application open untrusted links in a standalone browser instead of Webview. • Ensure SSL. • Develop a custom JavaScript bridge using the shouldOverrideUrlLoading(), as an alternative to addJavascriptInterface().

14. References • Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks by Martin Georgiev, SumanJana & VitalyShmatikovhttp://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf • Attacks on WebView in the Android System by TongboLuo, HaoHao, Wenliang Du, Yifei Wang, and Heng Yin http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf • Abusing WebView JavaScript bridges by Neil Bergmanhttp://50.56.33.56/blog/?p=314 • WebViewaddJavascriptInterface remote code Execution https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/ • Analyzing an AndroidWebViewexploit by EladShapirahttp://blogs.avg.com/mobile/analyzing-android-webview-exploit/ • StaticAnalysis of DalvikBytecode and Reflection in Android by Erik Ramsgaard Wognsen & Henrik Søndberg Karlsen http://projekter.aau.dk/projekter/files/63640573/rapport.pdf%E2%80%8E

15. Thank You You can reach me at: sachinraj.shetty@gmail.com

16. Mobile App - Native

17. Mobile Web

18. Mobile App - Hybrid

19. Demo Attacking the bridge using Mobile Ads – SOP bypass