Zidong Han

Bridge Attack —Double-edged Sword in MobileSec

Self Introduction l  Mobile Security researcher

-Tencent Mobile Security Labs Razor Team l  Focuses on App vulnerability and IOT related security l  GeekPwn 2018 winner in “Hacker Pwn in House”

l  HITB-SECCONF-2018-Beijing

Agenda

Ø  What is Bridge Attack

Ø  Why a Bridge Attack

Ø  Bridge Attack and Exploit Cases

Ø  Defense the Bridge Attack

Ø  Conclusion

What is Bridge Attack

Develop Fast Without Risk?

What is Abstract Bridge

AbstractBridge

MobileApp IoTDevice

Browser l  Mobile App Ø  Android: Javascript in WebView

Ø  IOS:UIWebView/WKWebView l  IoT Device

Ø  DLNA/Upnp/WebSocket

“UnOffical”definition of Bridge Attack

Browser Attack

User

URL Payload Abstract Bridge

Parse Url

Send Expolit Result JsBridge

IotBridge

…

Mobile Application

Lan IOT Device

Why a Bridge Attack

WebView Attack in Past

l Using addJavascriptInterface to RCE Ø CVE-2012-6336

l WebView Cross-domain Risk Ø setAllowFileAccess Ø setAllowFileAccessFromFileURLs Ø setAllowUniversalAccessFromFileURLs

l URL Scheme Attack Ø <scheme>://<host>:<port>/<path>?<query> with exported

component

Difference in Bridge Attack

l More Attack Surface

l Vulnerability effect with Bridge Ability

l Both Mobile Apps & IoT devicves

Bridge Attack and Exploit Cases

Bridge Attack Surface in Mobile Application

MaliciousRequest

BridgeInApplication&Webview Browser

SchemeParse

BypassRecognize

IdentificationCheck

FakeFun-Call

ActionDispatch

MobileDevice

Bypass Identification Check

Ø XSS attack from url

Ø InSecure domain check(CSRF)

Ø JS Bridge(@JavascriptInterface) Man-in-the-Middle Attack

Insecure Check Case I

str.contains("safe.com")str.endsWith("safe.com") 123safe.com

Expolit JsBridge Ability

Ø Custom JsApi better or worse?

Ø  Easy Web attack can csrf in apps

Insecure Check Case II

http://xxx.com/mobile/middle_page/index.html?url=javascript:alert(document.cookie);//m2.mobike.com

What Can we do except stealing cookie??

Insecure Check Case II

Payload Question: Ø import js file from outer url Ø exec any Sensitive JsApi Ø send user sensitive data to malicious url

Import jsapi file

Call getUserInfo jsapi

sendRequest jsapi to get pay info

Steal user pay info

Insecure Check Case II

Attack From A Malicious Url

CompleteExploit

PayloadUrL

Load

WebviewContainer

H5

JsBridge

Pay

NativeJsAPI

Attacker UserSpace JsBridgeAbility

InfoApi

NativeEvent

StealInfo RCE/LCE Worm

NativeCode

Exec

Javascript

ParseUri

LCE

WhatDifferenceinIotBridge

Ø Penetrate LAN from WAN Attack

-DNS Rebinding -Bridge Attack in Brain App -Other remote attack entries’

Ø  Persistent attack during the exploiting -More Broiler can be chosen in a LAN -More attack mode can be designed and used

IOTInPrivateNetworks

CloudServer

Application

AbstractIoTBridge

CommandRequest CommandResponse

IoTBridgeWithCloudServer

IoTBridgeWithoutCloudServer

IOTInPrivateNetworks Application

AbstractIoTBridge

UPnP

WebSocket

OtherProtocal

Bridge Attack Surface in IoT Devices

DNSRebinding

BridgeInIOTDevice

Browser

PrivateNetwork

Open-PortAnalyze

BridgeProtocal

SendRequest

ActionDispatch

IOTInPrivateNetworks

IoT Bridge Attack Case I

DLNAAction

Ø ExposesomeInterfacewithnoidentifychecking

Ø Basicallycontrolmediaplayability

Ø SpeciallyinjectbackdoorintoTv

IoT Bridge Attack Case I

Ø SensitiveUpnpActionmakesecurityworseØ RemoteDownload->InstallApp->LaunchAppØ AttackerEnteringprivatenetwork

IoT Bridge Attack Case II

Ø CenterAppwithnoCodeProtectionØ CommunicatewithTvwithnoIdentifycheckØ RemoteattackSmartTvimitateCenterAppAction

Defense the Bridge Attack l  For Jsbridge:

Ø Check identification seriously

Ø Constraint the permission of bridge ability

Ø  Ensure the communication security with encryto channel(etc. https)

l  For IoTbridge:

Ø Same security policy with JsBridge Ø Be cautious in expanding and abusing the bridge ability

Ø Make sure your command action with authentication tickets

Conclusion

l MoreTarget:MobileAppsandIoTdevices

l AttackSurface:IntegrateWebattackswithApp/IoTattacks

l Easy-to-use:Byonlyamaliciousurl,evenspreadquicklyandwidely

l ExpolitAbility:RCE/LCE,SensitiveInformationLeak,APT

Thanks