Abstract

Frame Confusion is a vulnerability affecting hybrid applications which allows circumventing the isolation granted by the Same-Origin Policy. The detection of such vulnerability is still carried out manually by application developers, but the process is error-prone and often underestimated. To overcome this limitation, we propose a sound and complete methodology to detect the Frame Confusion on Android as well as a publicly-released tool (i.e., FCDroid) which implements such methodology and allows to detect the Frame Confusion in hybrid applications, automatically. We also make public the results obtained by analyzing 50K apps using FCDroid, which have revealed that many hybrid applications suffer from Frame Confusion.

The Tool

The detection of Frame Confusion poses several challenges in terms of implementation. Indeed, an automatic detection tool needs to:

  • achieve maximum coverage, i.e., by detecting all possible app execution paths that may lead to the vulnerability;
  • recognize the actual configuration of WebView components, which may dynamically enable JavaScript or define new interfaces;
  • analyze all the web pages loaded inside some potentially vulnerable WebViews, by also considering those loaded according to i) the user’s input, and ii) the value of runtime variables.

To address such challenges, an automatic tool can rely on static and dynamic analysis techniques. Static analysis techniques examine all possible execution paths and variable values, not just those invoked during execution. However, static approaches can i) introduce false positives and ii) be unable to detect complex scenario, like, e.g., values provided by the user or resources loaded at runtime. On the other hand, dynamic analysis techniques allow to detect the actual behavior of the app, but they are limited by i) the coverage of the analysis and ii) the time required for the analysis, thus producing potential false negatives. To this aim, FCDroid combines static and dynamic analysis techniques to overcome the limitations of both approaches and achieve more accurate detection results. FCDroid is composed by five main building blocks: the Static Analysis Module (SAM), the Dynamic Analysis Module (DAM), the WebSite Dumper (WD), the Frame Confusion Detector (FCD) and the Exploitation Checker (EC).

Demo

Drop an application here or click to choose one
(max. 100 MB)

Results

Team

Acknowledgment

A special acknowledgment is for Talos S.r.l.s., which provides the server for executing the analyses.