Automatically Retrofitting Cordova Applications for Stricter Content Security Policies

Basil Schöni. Automatically Retrofitting Cordova Applications for Stricter Content Security Policies. Bachelor’s thesis, University of Bern, February 2020. Details.


Content Security Policy (CSP), a feature present in Android’s WebView for many years, has the potential to protect against most types of code injection attacks. However, adoption rates are low and existing policies often apply weak restrictions. We investigate attack methods against WebView and how CSP can prevent them. We found that there is a wide variety of injection vectors, ranging from external sources like NFC communications to internal ones like Android’s inter-app communication. The impacts include breaches of privacy, credential stealing and further spreading of malicious code. CSP mitigates such attacks by blocking various classes of code execution, loading external data, exfiltration of data, UI manipulation and insecure connections. We propose a tool that generates such CSP definitions for pre-existing, real-world Cordova apps. To improve the strictness of these CSP definitions, our tool attempts to rewrite all Javascript APIs that are restricted by CSP. We evaluated the tool using a large data set and found that we can avoid the "script-src unsafe-inline" definition in 84.28% and the "style-src unsafe-inline" definition in 25.88% of cases. Conversely, for the "script-src unsafe-eval" definition, no application could benefit from our rewriting and for "style-src unsafe-eval", loosening strictness could only be avoided for 2.89% of applications. From this we conclude that while our approach provides significant benefits with respect to the "unsafe-inline" keywords, it is mostly ineffective in rewriting to avoid the "unsafe-eval" keywords. We identified six patterns which limit either the strictness or the non-breaking behavior of our generated policies and two use cases which make the static generation of non-breaking policies completely impossible. We conclude that any static rewriting of Javascript APIs should apply in-depth flow analysis and be able to deal with special syntaxes introduced by the most common UI frameworks. Approaches like ours that do not apply these measures may work well for smaller applications, but will cause breaking for more complex ones.

Posted by scg at 7 February 2020, 6:15 pm link
Last changed by admin on 21 April 2009