HTML5-based Mobile App PhoneGap Architecture HTML5-based Mobile App in addition to Risk Overview of HTML5-based Mobile App Overview of HTML5-based Mobile App

HTML5-based Mobile App PhoneGap Architecture HTML5-based Mobile App in addition to Risk Overview of HTML5-based Mobile App Overview of HTML5-based Mobile App www.phwiki.com

HTML5-based Mobile App PhoneGap Architecture HTML5-based Mobile App in addition to Risk Overview of HTML5-based Mobile App Overview of HTML5-based Mobile App

Silverman, Amy, Managing Editor has reference to this Academic Journal, PHwiki organized this Journal Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection in addition to MitigationXing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin in addition to Gautam Nagesh PeriOutlineBackground in addition to motivationOverall problem definition in addition to challengesRelated workSolutions as long as paper 1Solutions as long as paper 2Comparison between the two papersConclusionsOutlineBackground in addition to motivationOverall problem definition in addition to challengesRelated workSolutions as long as paper 1Solutions as long as paper 2Comparison between the two papersConclusions

Community College of Denver US www.phwiki.com

This Particular University is Related to this Particular Journal

(a)(c)(b)(d)(g)(f)(e)(h)Hybrid AppsApp Development Comparison

Architecture of a hybrid appNative container Creates instance of UIWebView in addition to roid.webkit.WebView / etc.Navigates to main html fileImplements listener/h in addition to ler as long as requests coming from JS code Activates JS code when necessaryHTML5/CSS3/JS code:Implements UI in addition to app logic Activates native h in addition to lers through OS-specific mechanism (custom URL scheme) Receives responses through JS h in addition to lers 8HTML5-based Mobile AppHybrid appsArchitecture of a hybrid app PhoneGap – Open Source FrameworkThe de-facto st in addition to ard as long as hybrid app development Now in transition into becoming “Apache Callback” Provides: A template implementation as long as the native container Implementation of the JS<->Native bridge as long as 6 mobile OSs OS-independent JS APIs as long as activating device functions

PhoneGap ArchitectureHTML5-based Mobile App in addition to Risk12Overview of HTML5-based Mobile App

13Overview of HTML5-based Mobile AppOverview of HTML5-based Mobile AppaddJavascriptInterface()Overview of PhoneGap Architecture

Example: raising a native alert from JS code Example: accessing the camera OutlineBackground in addition to motivationOverall problem definition in addition to challengesRelated workSolutions as long as paper 1Solutions as long as paper 2Comparison between the two papersConclusions

Risks in HTML5-based Mobile App (JavaScript)Data in addition to code can be mixed together. var text=”Hello!“; document.write(text);Once it runs, the data will be displayed, in addition to the JavaScript code will also be executed.Attack Procedures Shortened URLsAttack Procedures SMS / Whatsapps / Facebook Messages / Emails

Attack Procedures SMS / Whatsapps / Facebook Messages / Emails Facebook Messenger in addition to in-app browser, clicking the messages executed the XSS payload Attack Procedures Stealing content from Web SQL Database by XSS sample Web SQL was initiated, storing cities in as long as mation XSS vulnerability was injected in the code from QueryString XSS Payload was inserted in URL to retrieve the first city name from the table “city”Attack Procedures Stealing content from Web SQL Database by XSS The city name of the first record was successfully retrieved by XSS

Silverman, Amy Phoenix New Times Managing Editor www.phwiki.com

Attack Procedures Eavesdropping Mobile Website Traffic Sample mobile website required user to login, in addition to profile page was displayed after authenticationAttack Procedures Eavesdropping Mobile Website Traffic Tcpdump installed in the Android Emulator, it captured all the network traffic from the EmulatorAttack Procedures Eavesdropping Mobile Website Traffic The plaintext traffic was viewed by Wireshark, username in addition to password were captured easily

DemoWould you scan thisDemo (Video)www.cis.syr.edu/~wedu/ in addition to roid/JSCodeInjection/index.htmlOutlineBackground in addition to motivationOverall problem definition in addition to challengesRelated workSolutions as long as paper 1Solutions as long as paper 2Comparison between the two papersConclusions

ConclusionCB-5988: Allow the Android exec() to be used only by ‘s domainAdd a r in addition to om number to exec() to increase its security.Use the domain of the tag as the only one the native side will provide a token to. Both Android in addition to iOS can know the URL of the main frame, in addition to choose not to provide a token if the domain doesn’t match that of content (with file:/// always being allowed).

Silverman, Amy Managing Editor

Silverman, Amy is from United States and they belong to Phoenix New Times and they are from  Phoenix, United States got related to this Particular Journal. and Silverman, Amy deal with the subjects like Local News; National News; Regional News

Journal Ratings by Community College of Denver

This Particular Journal got reviewed and rated by Community College of Denver and short form of this particular Institution is US and gave this Journal an Excellent Rating.