Android Attacks in a Nutshell ( Part II)

2 Local XSS Attack

2.1 Attacker Model

 Backes, gerling and Stype-Rekowsky [3] developed an android version 2.3.4 application that without requiring any permission can steal cookies stored in the web browser for Web sites of the attacker’s choice and automatically installing arbitrary applications from the Android Market without user consent. The three prerequisites for this attack is the following:
• User should install the malicious application, either by integrating the malicious code into an unsuspicious application, e.g. a small game. Since no permission is needed at install-time, there is a high chance that the user shall install an application that looks trustworthy.
 • The user needs to store login cookies in the browser, which is similar to normal cross-site request forgery attacks. In case we want to install other Android applications, it is further required that the user is already logged in to his Google account (the one he paired his phone with). Note that it suffices that the user is logged in to an arbitrary Google service based on Google policy.
• The WebKit-based browser shipped with Android needs to be the default receiver for http:/https: and javascript: VIEW Intents.

 2.2 Implementation

The attack exploits a flaw in the Intent handling mechanism of the Android browser. Naturally, this browser is configured to receive VIEW Intents that operate on http: and https: URIs. The browser will also handle VIEW Intents for javascript:URIs as well. Whenever the browser receives an Intent to view an http:/https: URI, it will open a new browser window and load the given Web site. However, upon reception of a view Intent for a javascript: URI, the browser will not open a new window but reuse the currently active window. Consequently, the javascript code given in the Intent URI will be executed in the context of the Web site that is currently loaded in the active window. This leads to a generic local XSS vulnerability, which works with arbitrary websites. As it can be seen in the following lines of code, the application first creates a VIEW Intent for the target Web site, in our example https://market.android.com and dispatches it to the system. This will cause Android to launch the default browser and load the specified Web site. The application then sleeps for 10 seconds to wait for the Web site to finish loading. It then dispatches an Intent containing javascript code to be executed within the context of the previously loaded Web site. here, the Intent will cause the browser to display the cookie information stored for https://market.android.com.

The following is the code sample in Java:

Uri uri = Uri.parse("https://market.android.com/");
Intent intent = new Intent (Intent.ACTION_VIEW, uri );
startActivity(intent) ;
Thread.sleep(10000);
uri = Uri.parse("javascript:alert(document.cookie);");
intent.setData(uri);
startActivity(intent);