Research Article
COIN-VASE: Code Injection Vulnerability Scanning Environment for HTML5-Based Android Apps
@INPROCEEDINGS{10.4108/eai.30-11-2016.2267038, author={Su Yeon Choi and Jee Ah Lee and Wonhee Lee and Hae Young Lee}, title={COIN-VASE: Code Injection Vulnerability Scanning Environment for HTML5-Based Android Apps}, proceedings={The 8th EAI International Conference on Mobile Computing, Applications and Services}, publisher={ACM}, proceedings_a={MOBICASE}, year={2016}, month={12}, keywords={mobile security html5-based mobile apps javascript code injection attacks vulnerability scanners}, doi={10.4108/eai.30-11-2016.2267038} }- Su Yeon Choi
Jee Ah Lee
Wonhee Lee
Hae Young Lee
Year: 2016
COIN-VASE: Code Injection Vulnerability Scanning Environment for HTML5-Based Android Apps
MOBICASE
ACM
DOI: 10.4108/eai.30-11-2016.2267038
Abstract
Although using HTML5-based techniques to develop mobile apps provides a good solution to overcome limitations arising from multiplatform development, mobile apps developed based on the technologies are subject to code injection attacks in which malicious JavaScript code can be injected through multiple channels and then executed. This work-in-progress paper presents an environment for scanning potential code injection vulnerabilities in HTML5-based Android apps. The proposed environment performs a black-box test that injects traceable HTML tags into an app running on an emulator through internal, external, and UI channels, and then observes if some of the injected HTML tags have been triggered. The proposed environment could identify potential code injection vulnerabilities in apps, regardless of development frameworks, before they are exploited. A prototype is being developed based on our proof-of-concept.