New protection mechanism prevents mobile cross-app content stealing
Posted on 29 August 2013.
A group of researchers from Indiana University and Microsoft Research have recently published a paper detailing the risk of cross-origin attacks on two of the most popular mobile operating systems today - iOS and Android - and have introduced an origin-based protection mechanism of their own design.


Unlike modern browsers, which enforce the same origin policy that prevents the dynamic web content of one domain from directly accessing the resources from a different domain, todayís mobile OSes do not have origin-based security policies that would control the cross-origin communications between apps, and between an app and the web, the researchers note.

"[Cross-origin] attacks are unique to mobile platforms, and their consequences are serious: for example, using carefully designed techniques for mobile cross-site scripting and request forgery, an unauthorized party can obtain a mobile userís Facebook/Dropbox authentication credentials and record her text input," they point out.

"Mobile apps essentially play the same role as traditional web browsers at the client side. However, different from conventional web applications, which enjoy browse-level protection for their sensitive data and critical resources (e.g., cookies), apps are hosted directly on mobile operating systems (e.g., Android, iOS), whose security mechanisms (such as Androidís permission and sandbox model) are mainly designed to safeguard those devicesí local resources (GPS locations, phone contacts, etc.)," the researchers explained. "This naturally calls into question whether the appsí web resources are also sufficiently protected under those OSes."

During their research, they came across five separated cross-origin issues in popular SDKs (software development kits) and high-profile apps such as Facebook and Dropbox - and they discovered that they can be easily exploited to steal usersí authentication credentials and other confidential information.

They also concluded that fixing cross-origin flaws would be difficult for app developers, and that origin-based protection must be supported by the OS. In order to prove their point, they designed a protection mechanism they dubbed "Morbs", which "labels every message with its origin information, lets developers easily specify security policies, and enforce the policies on the mobile channels based on origins."









Spotlight

Leveraging network intelligence and deep packet inspection

Posted on 26 November 2014.  |  Tomer Saban, CEO of WireX Systems, talks about how deep packet inspection helps with identifying emerging threats, the role of network intelligence, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Nov 27th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //