New protection mechanism prevents mobile cross-app content stealing
Posted on 29 August 2013.
A group of researchers from Indiana University and Microsoft Research have recently published a paper detailing the risk of cross-origin attacks on two of the most popular mobile operating systems today - iOS and Android - and have introduced an origin-based protection mechanism of their own design.


Unlike modern browsers, which enforce the same origin policy that prevents the dynamic web content of one domain from directly accessing the resources from a different domain, today’s mobile OSes do not have origin-based security policies that would control the cross-origin communications between apps, and between an app and the web, the researchers note.

"[Cross-origin] attacks are unique to mobile platforms, and their consequences are serious: for example, using carefully designed techniques for mobile cross-site scripting and request forgery, an unauthorized party can obtain a mobile user’s Facebook/Dropbox authentication credentials and record her text input," they point out.

"Mobile apps essentially play the same role as traditional web browsers at the client side. However, different from conventional web applications, which enjoy browse-level protection for their sensitive data and critical resources (e.g., cookies), apps are hosted directly on mobile operating systems (e.g., Android, iOS), whose security mechanisms (such as Android’s permission and sandbox model) are mainly designed to safeguard those devices’ local resources (GPS locations, phone contacts, etc.)," the researchers explained. "This naturally calls into question whether the apps’ web resources are also sufficiently protected under those OSes."

During their research, they came across five separated cross-origin issues in popular SDKs (software development kits) and high-profile apps such as Facebook and Dropbox - and they discovered that they can be easily exploited to steal users’ authentication credentials and other confidential information.

They also concluded that fixing cross-origin flaws would be difficult for app developers, and that origin-based protection must be supported by the OS. In order to prove their point, they designed a protection mechanism they dubbed "Morbs", which "labels every message with its origin information, lets developers easily specify security policies, and enforce the policies on the mobile channels based on origins."









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //