Analyzing Android Browser Apps for file:// Vulnerabilities

Daoyuan Wu and Rocky K. C. Chang
Department of Computing, The Hong Kong Polytechnic University
This website was created on Apr 18, 2014

This is a project website for our ESORICS'14 paper submission. We also prepare a poster for this paper.
We built this website in hope that (1) our reported vulnerable browser apps could be timely patched, and (2) more app developers could better understand the FileCross attacks and their security implications. Yes, the FileCross issues can also exist in non-browser apps, but browsers are the ideal FileCross targets (since browsers usually accept external browsing requests and they contain many sensitive user information).

Abstract

Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as FileCross, that exploits the vulnerable file:// to obtain user's private files, such as cookies, bookmarks, and browsing histories. Our study shows that this class of attacks is much more prevalent and damaging than previously thought. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the nine patches received from the developers and find one still failing to block the vulnerability.

The FileCross Attacks

The following figure illustrates an overview of FileCross and its four attack examples. Further explanations are available in our ESORICS'14 paper submission.

More Details

1. The paper information is as follows.

  • Daoyuan Wu and Rocky K. C. Chang, "Analyzing Android Browser Apps for file:// Vulnerabilities", submitted to ESORICS'14 and released as a technical report at arxiv.

2. A detailed result of our tested 115 browser apps is listed in the Result page.

3. Our automated testing system is described in the System page.