Automated Generation of Event-Oriented Exploits in Android Hybrid Apps
|
|
- Hilary Caldwell
- 6 years ago
- Views:
Transcription
1 Automated Generation of Event-Oriented Exploits in Android Hybrid Apps Guangliang Yang, Jeff Huang, and Guofei Gu *Secure Communication and Computer Systems Lab Texas A&M University
2 In Android, the hybrid development approach is popular The use of the embedded browser, known as "WebView" rendering web content and running JavaScript code without leaving apps (i.e., hybrid apps) Advantages Easy to deploy Re-using existing web code
3 Event Handler: A unique WebView feature Through the event handler feature, developers can handle/customize web events. Security Flaws! Changing web UI, such as drawing web alert dialogs Supporting customized URL, such as tel:800 -> making a call 94.2% apps use the event handler feature
4 Event Handler: A unique WebView feature Handling/Customizing web events via Event Handler WebView HTML/JavaScript Code Web Event Native (Java) Event Handler Hybrid App
5 Event Handler: A unique WebView feature Handling/Customizing web events via Event Handler WebView HTML/JavaScript Code Native (Java) Event Handler Hybrid App
6 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input WebView HTML/JavaScript Code Server Native (Java) Event Handler Hybrid App Android Device
7 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input WebView <a href = mmsdk://c1.c2?args=...&callback=... Native shouldoverrideurlloading(webview view, String url) { } function1 hashmap(c1. c2) result = function1(args) loadurl( javascript: + callback + ( + result + ) );
8 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input WebView <a href = mmsdk://c1.c2?args=...&callback=... Native shouldoverrideurlloading(webview view, String url) { ) ); } function1 hashmap(c1. c2) Implicit Flow result = function1(args) loadurl( javascript: + callback + ( + result +
9 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input WebView Native 1. Recording audio <a href = mmsdk://c1.c2?args=...&callback= Using camera to take pictures shouldoverrideurlloading(webview view, String url) { 3. Leaking device ID 4. Attacking other apps using Intent 5. ) ); } function1 hashmap(c1. c2) Implicit Flow result = function1(args) loadurl( javascript: + callback + ( + result +
10 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input Event Handler#1 Target
11 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input Event Handler#1 Target
12 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input Event Handler#1 Target
13 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input Event Handler#2 Event Handler#1 Target
14 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input Event Handler#2 Event Handler#1 Target
15 Attacking Event Handlers Potential Attack#1: triggering an event handler with appropriate input Event Handler#2 Event Handler#1 Event Handler#2 Event Handler#1 Target
16 Attacking Event Handlers Potential Attack#2: Playing web events as gadgets The target program state is S t State transitions: [S 1 S 2... S t ] Web events triggering: [E 1 E 2... E t ]
17 Attacking Event Handlers Potential Attack#2: Playing web events as gadgets The target program state is S t [S 1 S 2... S t ] [E 1 E 2... E t ] Generalizing Attacks: Event Oriented Exploits (EOE) [EH 1 EH 2... EH t ]
18 Event Oriented Exploits Consequences Cross-origin/frame DOM manipulation Phishing Sensitive information leakage (such as IMEI and GPS) Local resource access (such as local database), etc. Detecting and verifying existing apps against EOE
19 Detecting and verifying apps against EOE Exiting techniques face significant challenges Static analysis (AppIntent, IntelliDroid, TriggerScope, etc.) False positives lack of real data and context False negatives Java Reflection Implicit flows
20 Detecting and verifying apps against EOE Recap WebView <a href = mmsdk://c1.c2?args=...&callback=... Native shouldoverrideurlloading(webview view, String url) { function1 hashmap(c1. c2) Implicit Flow }
21 Detecting and verifying apps against EOE Exiting techniques face significant challenges Static analysis (AppIntent, IntelliDroid, TriggerScope, etc.) False positives Lack of real data and context False negatives Java Reflection Implicit flows (Google Ads, etc.)
22 Detecting and verifying apps against EOE Exiting techniques face significant challenges Dynamic analysis False negatives low code coverage Our Solution: EOEDroid
23 Our Solution: EOEDroid 1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
24 Our Solution: EOEDroid 1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
25 How does EOEDroid work? Event Handler#2 Event Handler#1 Target
26 How does EOEDroid work? Event Handler#2 Event Handler#1 Target
27 Our Solution: EOEDroid 1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
28 How does EOEDroid work? Event Handler#2 Event Handler#1 Target
29 How does EOEDroid work? Event Handler#2 Event Handler#1 Event Handler#2 Event Handler#1 Target
30 Our Solution: EOEDroid 1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
31 Our Solution: EOEDroid 1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
32 Phase1: Event Handler Analysis Symbolic Execution Challenges Path explosion Discovering interesting paths Unsupported Fork() Keeping analysis contexts clean Hooking external-contentwriting Android ICC: intent Linking intent senders and receivers Implicit Flows Converting implicit flows to regular conditional statements
33 Our Solution: EOEDroid 1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
34 Phase2: Program State Analysis Event handler input generation Computing path constraints Event handler execution order generation Static backward analysis
35 Our Solution: EOEDroid 1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
36 Phase3: Exploit Code Generation Conducting the systematic study of event handler triggering code and constraints Web events -> Native event handlers Transferring data Triggering constraints
37 Our Solution: EOEDroid Recap WebView <a href = mmsdk://c1.c2?args=...&callback=... Native shouldoverrideurlloading(webview view, String url) { ) ); } loadurl( javascript: + callback + ( + result +
38 Phase3: Exploit Code Generation JavaScript Code Syntax Analysis Analyzing Abstracted Syntax Tree
39 RESULTS / EVALUATION
40 Evaluation Dataset 3,652 popular apps Testbed Android Nexus 10 Methodology Monkey + Mitmproxy
41 Results 97 vulnerabilities 58 vulnerable apps Low false positives & false negatives Analysis time / per app: ~4 minutes
42 CASE STUDY
43 Case Study: Discovering a potential backdoor A high-profile browser (com.mx.xxxx) 10 million downloads Using EOE to leverage a potential backdoor Stealing IMEI
44 Case Study: Discovering a potential backdoor
45 Case Study: Discovering a potential backdoor Phase#1: applying symbolic execution to analyze each event handler
46 Case Study: Discovering a potential backdoor
47 Case Study: Discovering a potential backdoor Phase#2: applying static analysis to generate the required event handler execution order
48 Case Study: Discovering a potential backdoor Phase#2: applying static analysis to generate the required event handler execution order onpagefinished() shouldoverrideurlloading()
49 Case Study: Discovering a potential backdoor Phase#3: Generating exploit code onpagefinished() shouldoverrideurlloading()
50 CONCLUSION
51 Conclusion Despite existing discussion, the event handler feature continues to be problematic in existing apps. In this paper, we discovered the event handler feature may cause serious consequences. We propose a novel vulnerability detection and verification tool (EOEDroid), and also verified our tool is accurate and effective.
52 Thanks!
53 Detecting and verifying apps against EOE Recap WebView <a href = mmsdk://c1.c2?args=...&callback=... Native shouldoverrideurlloading(webview view, String url) { function1 hashmap(c1. c2) Implicit Flow }
54 Phase1: Event Handler Analysis Implicit Flows Converting implicit flows to regular conditional statements Hashmap r = hashmap.get(k) [k 0, k 1, k 2,..., k n ] Conversion
55 Phase3: Exploit Code Generation Conducting the systematic study of event handler triggering code and constraints Web events -> Native event handlers Transferring data Triggering constraints JavaScript Code Syntax Analysis Analyzing Abstracted Syntax Tree
56 Related Work NoFrak, MobileIFC, and Draco: extending same origin policy (SOP) to the native layer, or providing access control on event handlers Hard to deploy Hard to upgrade Course-grained WIREframe and HybridGuard: providing policy enforcement They only focus on JavaScript code. They can be bypassed by EOE.
57 Countermeasure Using safe connection channel: HTTPS Checking the frame level and the origin information of the event handler caller Upgrade WebView to the newest version Providing new APIs with rich information
Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications
Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications Guangliang Yang, Jeff Huang, Guofei Gu, and Abner Mendoza Texas A&M University {ygl, jeffhuang,
More informationMobility meets Web. Al Johri & David Elutilo
Mobility meets Web Al Johri & David Elutilo Origin-Based Access Control in Hybrid Application Frameworks Outline 1. Introduction Hybrid Apps & Frameworks 2. Security Models 3. Bridges 4. Fracking 5. Existing
More informationAn Empirical Study of Web Resource Manipulation in Real-world Mobile Applications
An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications Xiaohan Zhang, Yuan Zhang, Qianqian Mo, Hao Xia, Zhemin Yang, Min Yang XiaoFeng Wang, Long Lu, and Haixin Duan Background
More informationPrecisely and Scalably Vetting JavaScript Bridge In Android Hybrid Apps
Precisely and Scalably Vetting JavaScript Bridge In Android Hybrid Apps Guangliang Yang, Abner Mendoza, Jialong Zhang, and Guofei Gu SUCCESS LAB Texas A&M University {ygl,abmendoza}@tamu.edu, {jialong,guofei}@cse.tamu.edu
More informationAndroid Online Training
Android Online Training IQ training facility offers Android Online Training. Our Android trainers come with vast work experience and teaching skills. Our Android training online is regarded as the one
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationATC Android Application Development
ATC Android Application Development 1. Android Framework and Android Studio b. Android Platform Architecture i. Linux Kernel ii. Hardware Abstraction Layer(HAL) iii. Android runtime iv. Native C/C++ Libraries
More informationAttacks on WebView in the Android System
Syracuse University SURFACE Electrical Engineering and Computer Science College of Engineering and Computer Science 2011 Attacks on WebView in the Android System Tongbo Luo Syracuse University, toluo@syr.edu
More informationStefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology
Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology One of the most popular application platforms Easy to deploy and access Almost anything
More informationCopyright 2014, Oracle and/or its affiliates. All rights reserved.
1 Introduction to the Oracle Mobile Development Platform Dana Singleterry Product Management Oracle Development Tools Global Installed Base: PCs vs Mobile Devices 3 Mobile Enterprise Challenges In Pursuit
More information1. GOALS and MOTIVATION
AppSeer: Discovering Interface Defects among Android Components Vincenzo Chiaramida, Francesco Pinci, Ugo Buy and Rigel Gjomemo University of Illinois at Chicago 4 September 2018 Slides by: Vincenzo Chiaramida
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationAccess Control for Plugins in Cordova-based Hybrid Applications
2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising
More informationAndroid Application Development Course Code: AND-401 Version 7 Duration: 05 days
Let s Reach For Excellence! TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC Address: 103 Pasteur, Dist.1, HCMC Tel: 08 38245819; 38239761 Email: traincert@tdt-tanduc.com Website: www.tdt-tanduc.com; www.tanducits.com
More informationDynamic Detection of Inter- Application Communication Vulnerabilities in Android. Daniel Barton
Dynamic Detection of Inter- Application Communication Vulnerabilities in Android Daniel Barton Authors/Paper Metadata Roee Hay IBM Security Omer Tripp IBM T.J. Watson Research Center Marco Pistoia IBM
More informationAndroid App Development
Android App Development Course Contents: Android app development Course Benefit: You will learn how to Use Advance Features of Android with LIVE PROJECTS Original Fees: 15000 per student. Corporate Discount
More information2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions
2 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2014 Android Security Extensions App A Perm. P 1 App B Perm. P 2 Perm. P 3 Kirin [2009] Reference Monitor Prevents the installation
More informationHybrid App Security Attack and Defense
标题文本» 正文级别 1 正文级别 2 正文级别 3 正文级别 4» 正文级别 5 Hybrid App Security Attack and Defense HuiYu Wu @ Tencent Security Platform Department About Me Security researcher at Tencent Security Platform Department Focus
More informationANDROID SYLLABUS. Advanced Android
Advanced Android 1) Introduction To Mobile Apps I. Why we Need Mobile Apps II. Different Kinds of Mobile Apps III. Briefly about Android 2) Introduction Android I. History Behind Android Development II.
More informationVirtualSwindle: An Automated Attack Against In-App Billing on Android
Northeastern University Systems Security Lab VirtualSwindle: An Automated Attack Against In-App Billing on Android ASIACCS 2014 Collin Mulliner, William Robertson, Engin Kirda {crm,wkr,ek}[at]ccs.neu.edu
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationObfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis
Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis Andrea Continella, Yanick Fratantonio, Martina Lindorfer, Alessandro Puccetti, Ali Zand, Christopher Kruegel,
More informationHybrid Apps Combining HTML5 + JAVASCRIPT + ANDROID
Hybrid Apps Combining HTML5 + JAVASCRIPT + ANDROID Displaying Web Page For displaying web page, two approaches may be adopted: 1. Invoke browser application: In this case another window out side app will
More informationAndroid Essentials with Java
Android Essentials with Java Before You Program o Exercise in algorithm generation Getting Started o Using IntelliJ CE Using Variables and Values o Store data in typed variables Static Methods o Write
More informationUnderstanding and Detecting Wake Lock Misuses for Android Applications
Understanding and Detecting Wake Lock Misuses for Android Applications Artifact Evaluated by FSE 2016 Yepang Liu, Chang Xu, Shing-Chi Cheung, and Valerio Terragni Code Analysis, Testing and Learning Research
More informationOverview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises
More informationBabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews
BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews Claudio Rizzo, Lorenzo Cavallaro, and Johannes Kinder Royal Holloway, University of London {claudio.rizzo.2015 lorenzo.cavallaro
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationPROCE55 Mobile: Web API App. Web API. https://www.rijksmuseum.nl/api/...
PROCE55 Mobile: Web API App PROCE55 Mobile with Test Web API App Web API App Example This example shows how to access a typical Web API using your mobile phone via Internet. The returned data is in JSON
More informationAndroid Application Development
Android Application Development Course Code: AND-401 Version 7 (Nougat) 2016 Android ATC Published by: Android ATC Fourth Printing: December 2016. First Printing: October 2013. ISBN: 978-0-9900143-8-6
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationUnderstanding and Detecting Wake Lock Misuses for Android Applications
Understanding and Detecting Wake Lock Misuses for Android Applications Artifact Evaluated Yepang Liu, Chang Xu, Shing-Chi Cheung, and Valerio Terragni Code Analysis, Testing and Learning Research Group
More informationCOURSE OUTLINE MOC 20480: PROGRAMMING IN HTML5 WITH JAVASCRIPT AND CSS3
COURSE OUTLINE MOC 20480: PROGRAMMING IN HTML5 WITH JAVASCRIPT AND CSS3 MODULE 1: OVERVIEW OF HTML AND CSS This module provides an overview of HTML and CSS, and describes how to use Visual Studio 2012
More informationBreaking and Securing Mobile Apps
Breaking and Securing Mobile Apps Aditya Gupta @adi1391 adi@attify.com +91-9538295259 Who Am I? The Mobile Security Guy Attify Security Architecture, Auditing, Trainings etc. Ex Rediff.com Security Lead
More information55191: Advanced SharePoint Development
Let s Reach For Excellence! TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC Address: 103 Pasteur, Dist.1, HCMC Tel: 08 38245819; 38239761 Email: traincert@tdt-tanduc.com Website: www.tdt-tanduc.com; www.tanducits.com
More informationFirefox for Android. Reviewer s Guide. Contact us:
Reviewer s Guide Contact us: press@mozilla.com Table of Contents About Mozilla 1 Move at the Speed of the Web 2 Get Started 3 Mobile Browsing Upgrade 4 Get Up and Go 6 Customize On the Go 7 Privacy and
More informationBeginner s Guide to Cordova and Mobile Application Development
November 13, 2018 Beginner s Guide to Cordova and Mobile Application Development George Campbell Lead Software Engineer Doug Davies Lead Software Engineer George Campbell Lead Software Engineer Doug Davies
More informationAutomated Discovery of Parameter Pollution Vulnerabilities in Web Applications
Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda NDSS 2011 The Web as We Know It 2 Has evolved from
More informationIGEEKS TECHNOLOGIES. Software Training Division. Academic Live Projects For BE,ME,MCA,BCA and PHD Students
Duration:40hours IGEEKS TECHNOLOGIES Software Training Division Academic Live Projects For BE,ME,MCA,BCA and PHD Students IGeekS Technologies (Make Final Year Project) No: 19, MN Complex, 2nd Cross, Sampige
More informationSecure Frame Communication in Browsers Review
Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationCh 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated
Ch 1: The Mobile Risk Ecosystem CNIT 128: Hacking Mobile Devices Updated 1-12-16 The Mobile Ecosystem Popularity of Mobile Devices Insecurity of Mobile Devices The Mobile Risk Model Mobile Network Architecture
More informationConnect and Transform Your Digital Business with IBM
Connect and Transform Your Digital Business with IBM 1 MANAGEMENT ANALYTICS SECURITY MobileFirst Foundation will help deliver your mobile apps faster IDE & Tools Mobile App Builder Development Framework
More informationSecurity Philosophy. Humans have difficulty understanding risk
Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy
More informationWe need a browser that just works with modern web sites and services. I m worried about Internet security threats and the risk to my business
WHAT WE HEARD FROM YOU We need a browser that just works with modern web sites and services I m worried about Internet security threats and the risk to my business My employees need to be productive when
More informationThe course also includes an overview of some of the most popular frameworks that you will most likely encounter in your real work environments.
Web Development WEB101: Web Development Fundamentals using HTML, CSS and JavaScript $2,495.00 5 Days Replay Class Recordings included with this course Upcoming Dates Course Description This 5-day instructor-led
More informationTo be Technical Or not to be THAT is the question!
To be Technical Or not to be THAT is the question! The Questions We Ask.. No Future of Exploratory (Manual) Testing? The Questions We Ask.. How to Learn Automation? The Perceived Career Path Management
More informationDreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com
DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com By Bill Appleton, CTO, DreamFactory Software billappleton@dreamfactory.com Introduction DreamFactory
More informationWe will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries
We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces
More informationarxiv: v3 [cs.cr] 1 Sep 2014
Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky K. C. Chang Department of Computing, The Hong Kong Polytechnic University {csdwu,csrchang}@comp.polyu.edu.hk arxiv:1404.4553v3
More informationDetecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University
Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University 1 Outline Background Related Work Purpose Method Experiment Results Conclusion & Future Work 2
More informationWeb Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech
Web Security advanced topics on SOP Yan Huang Credits: slides adapted from Stanford and Cornell Tech Same Origin Policy protocol://domain:port/path?params Same Origin Policy (SOP) for DOM: Origin A can
More informationSoftware Testing
Ali Complex, 2nd block, Kormangala, Madiwala, Bengaluru-560068 Page 1 What is Software Testing? Software Testing is the process of testing software with the purpose of finding bugs and ensuring that it
More informationCode-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets
Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets Sebastian Lekies (@slekies) Krzysztof Kotowicz (@kkotowicz) Eduardo Vela Nava (@sirdarckcat) Agenda 1. 2. 3. 4. 5. 6. Introduction
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 6 March 2, 2011 Question 1 Cross-Site Scripting (XSS) (10 min) As part of your daily routine, you are browsing through the news and status updates
More informationWebSphere Puts Business In Motion. Put People In Motion With Mobile Apps
WebSphere Puts Business In Motion Put People In Motion With Mobile Apps Use Mobile Apps To Create New Revenue Opportunities A clothing store increases sales through personalized offers Customers can scan
More informationDesign Inaccuracy Cross Link Authoring Flaw - ipaper Platform
COSEINC Design Inaccuracy Cross Link Authoring Flaw - ipaper Platform Aditya K Sood, - Sr. Security Researcher, Vulnerability Research Labs, COSEINC Email: Aditya [at] research.coseinc.com Website: http://www.coseinc.com
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More informationChat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev
Chat with a hacker Increase attack surface for Pentest A talk by Egor Karbutov and Alexey Pertsev $ Whoarewe Egor Karbutov & Alexey Pertsev Penetration testers @Digital Security Speakers Bug Hunters 2
More informationOracle Mobile Application Framework
Oracle Mobile Application Framework Oracle Mobile Application Framework (Oracle MAF) is a hybrid-mobile development framework that enables development teams to rapidly develop single-source applications
More informationIncident Play Book: Phishing
Incident Play Book: Phishing Issue: 1.0 Issue Date: September 12, 2017 Copyright 2017 Independent Electricity System Operator. Some Rights Reserved. The following work is licensed under the Creative Commons
More informationFinding Vulnerabilities in Web Applications
Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationSecure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn
Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Our Observations The same old code-level problems Input Validation, Parameter Manipulation,
More informationProduced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar
Mobile Application Development Higher Diploma in Science in Computer Science Produced by Eamonn de Leastar (edeleastar@wit.ie)! Department of Computing, Maths & Physics Waterford Institute of Technology
More informationEtanova Enterprise Solutions
Etanova Enterprise Solutions Front End Development» 2018-09-23 http://www.etanova.com/technologies/front-end-development Contents HTML 5... 6 Rich Internet Applications... 6 Web Browser Hardware Acceleration...
More informationMobile Applications 2013/2014
Mobile Applications 2013/2014 Mike Taylor Product Manager February 6, 2015 Advanced Development Technology Agenda Devices App Types Test/Deploy Summary Devices Mobile (Feature) Phones Windows version 5/6
More informationAndroid Programming (5 Days)
www.peaklearningllc.com Android Programming (5 Days) Course Description Android is an open source platform for mobile computing. Applications are developed using familiar Java and Eclipse tools. This Android
More informationWhat Mobile Development Model is Right for You?
What Mobile Development Model is Right for You? An analysis of the pros and cons of Responsive Web App, Hybrid App I - Hybrid Web App, Hybrid App II - Hybrid Mixed App and Native App Contents Mobile Development
More informationTESTBEDS Paris
TESTBEDS 2010 - Paris Rich Internet Application Testing Using Execution Trace Data Dipartimento di Informatica e Sistemistica Università di Napoli, Federico II Naples, Italy Domenico Amalfitano Anna Rita
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationSymantec Endpoint Protection Family Feature Comparison
Symantec Endpoint Protection Family Feature Comparison SEP SBE SEP Cloud SEP Cloud SEP 14.2 Device Protection Laptop, Laptop Laptop, Tablet Laptop Tablet & & Smartphone Smartphone Meter Per Device Per
More informationComputer Security CS 426 Lecture 41
Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery CS426 Fall 2010/Lecture 36 1 StuxNet: Overview Windows-based Worm First reported in June 2010, the general
More information6.858 Quiz 2 Review. Android Security. Haogang Chen Nov 24, 2014
6.858 Quiz 2 Review Android Security Haogang Chen Nov 24, 2014 1 Security layers Layer Role Reference Monitor Mandatory Access Control (MAC) for RPC: enforce access control policy for shared resources
More informationEradicating DNS Rebinding with the Extended Same-Origin Policy
Eradicating DNS Rebinding with the Extended Same-Origin Policy Martin Johns, Sebastian Lekies and Ben Stock USENIX Security August 16th, 2013 Agenda DNS Rebinding The basic attack History repeating HTML5
More informationENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE
ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE TABLE OF CONTENTS Overview...3 A Multi-Layer Approach to Endpoint Security...4 Known Attack Detection...5 Machine Learning...6 Behavioral Analysis...7 Exploit
More informationAdvanced Windows Store App Development Using C#
Course 20485C: Advanced Windows Store App Development Using C# Course Details Course Outline Module 1: Windows Store App Essentials In this module, you will get an overview of the Windows 8.1 user experience
More informationBifocals: Analyzing WebView Vulnerabilities in Android Applications
Bifocals: Analyzing WebView Vulnerabilities in Android Applications Erika Chin and David Wagner University of California, Berkeley {emc, daw}@cs.berkeley.edu Abstract. WebViews allow Android developers
More informationXHound: Quantifying the Fingerprintability of Browser Extensions. Priyankit Bangia Software Engineering. By Oleksii Starov & Nick Nikiforakis
XHound: Quantifying the Fingerprintability of Browser Extensions By Oleksii Starov & Nick Nikiforakis Priyankit Bangia Software Engineering INTRODUCTION What are browser extensions? Browsers are designed
More information1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague
1000 Ways to Die in Mobile OAuth Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague What is this work about? In 2014, Studied OAuth usage in 200 Android/iOS OAuth applications.
More informationOn the Static Analysis of Hybrid Mobile Apps. Outline What is a Hybrid App?
On the Static Analysis of Hybrid Mobile Apps A Report on the State of Apache Cordova Nation Achim D Brucker and Michael Herzberg {abrucker,msherzberg1@sheffieldacuk Department of Computer Science, The
More informationIdentity-based Access Control
Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like
More informationORACLE UNIVERSITY AUTHORISED EDUCATION PARTNER (WDP)
Android Syllabus Pre-requisite: C, C++, Java Programming SQL & PL SQL Chapter 1: Introduction to Android Introduction to android operating system History of android operating system Features of Android
More informationContent Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
More informationOWASP AppSec Research The OWASP Foundation New Insights into Clickjacking
New Insights into Clickjacking Marco `embyte` Balduzzi iseclab @ EURECOM embyte@iseclab.org AppSec Research 2010 Joint work with Egele, Kirda, Balzarotti and Kruegel Copyright The Foundation Permission
More informationThe Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez
The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony
More informationWeb Browser as an Application Platform Antero Taivalsaari
Web Browser as an Application Platform Antero Taivalsaari November 27, 2007 http://research.sun.com/projects/lively lively@sun.com Background The widespread adoption of the World Wide Web has dramatically
More informationAndroid App Development
Android App Development Outline Introduction Android Fundamentals Android Studio Tutorials Introduction What is Android? A software platform and operating system for mobile devices Based on the Linux kernel
More informationCopyright 2014, Oracle and/or its affiliates. All rights reserved.
1 Oracle Mobile Suite an Overview Vincent Hu Principal Sales Consultant Oracle Mobile Suite Everything you need to mobile enable enterprise applications in one package One Platform, Any App, Any Data,
More informationMobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.
Mobile Payment Application Security Security steps to take while developing Mobile Application s About SISA Payment Security Specialists PCI Certification Body (PCI Qualified Security Assessor) Payment
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationReal-world security analyses of OAuth 2.0 and OpenID Connect
Real-world security analyses of OAuth 2.0 and OpenID Connect Wanpeng Li and Chris J Mitchell 1 Agenda Single sign-on and identity management OAuth 2.0 Two case studies Security analyses OpenID Connect
More informationHow to Leak a 100-Million-Node Social Graph in Just One Week? - A Reflection on OAuth and API Design in Online Social Networks
How to Leak a 100-Million-Node Social Graph in Just One Week? - A Reflection on OAuth and API Design in Online Social Networks Pili Hu and Wing Cheong Lau July 1, 2014 Abstract In this paper 1, we discuss
More informationStatic Analysis for Android: GUIs, Callbacks, and Beyond
Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas (Nasko) Rountev Joint work with Dacong Yan Shengqian Yang Haowei Wu Yan Wang Hailong Zhang Ohio State University PRESTO: Program Analyses
More informationBenefits of Building HTML5 Mobile Enterprise Applications
Benefits of Building HTML5 Mobile Enterprise Applications Product Version 2.0 Table of Contents Introducing OpenText Gupta TD Mobile and HTML5... 3 Challenges of Mobile Enterprise Application Development...
More informationI, J, K. Eclipse, 156
Index A, B Android PhoneGap app, 158 deploying and running, 172 New Eclipse project, 158 Activity dialog, 162 application properties, 160 AVD, 170 configuration, 167 Launcher Icon dialog, 161 PhoneGap
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 9 Week of March 19, 2018 Question 1 Warmup: SOP (15 min) The Same Origin Policy (SOP) helps browsers maintain a sandboxed model by preventing
More informationSoftware Development & Education Center ANDROID. Application Development
Software Development & Education Center ANDROID Application Development Android Overview and History ANDROID CURRICULUM How it all got started Why Android is different (and important) Android Stack Overview
More informationVersion 1.1. Mobile Optimisation
Version 1.1 1 Table Of contents 1. Introduction. Page 3 1.1. SmartPay mobile payment pages... Page 3 1.2. A simple and straight forward Multi page..page 3 2. How to integrate...page 4 2.1. Option 1: native
More informationMWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS
Quit MWR InfoSecurity Advisory Elastic Path Administrative Session Hijacking through Embedded XSS 26 th April 2007 2007-04-26 1 of 7 INDEX 1 Detailed Vulnerability description...4 1.1 Introduction...4
More information