Mobile Apps That Embed Browsers Vulnerable to XSS Attacks

A security researcher showed that the use of HTML, CSS and JavaScript in the development of a mobile application, after the operating system’s web browser has been embedded, can make the resulting apps vulnerable to cross-site scripting attacks.

According to H-Secure, Kyle Osborn presented his findings on this topic on December 6 at the TakedownCon, a security conference which host speakers that plan on revealing some of the issues that concern mobile and wireless security.

It seems as many developers turn to these strategies as it’s easier for them to customize and make the interface more portable to other devices.

“Fortunately for attackers, this now makes web vulnerabilities application vulnerabilities. Using a popular IM and blogging client, among others, (and an operating system!) as examples, we’ll go over how an attacker can own you, mobile and desktop, using everyday web vulnerabilities, Cross Site Scripting,” reads the abstract of Osborn’s work.

To prove his findings, he embedded JavaScript in the location information in a layer on the iPad version of Google Earth. His proof of concept demonstrated that each time a user visited the specific location, the script he had injected was executed.

While Google fixed this specific flaw without any impact on its customers, there are other mobile applications that are susceptible to a similar attack.

In some versions of Skype for Mac OS X, he showed that because HTML was not filtered in an instance, it could allow an attacker to inject a maliciously crafted JavaScript.

Osborne also made an interesting discovery in the Gmail application for Android. He found an XSS flaw in Gmail.app that would allow a hacker to forcefully download a certain file and then force the browser to open it.

Since many application developers rely on these techniques, they are advised to take in consideration the researcher’s findings to make sure they don’t leave their customers exposed to malicious operations.