In the mobile app ecosystem, super-apps serve as platforms hosting mini-apps, facilitating cross-platform operation across Android and iOS. Traditionally, attacks on mobile apps have targeted native applications, web pages, and networks. Our research pioneers a novel exploitation vector targeting mobile apps via mini-apps. For security considerations, capabilities open to Mini-Apps need to be strictly restricted and implemented in the sandbox. After comprehensive research on 11 popular super-apps involving hundreds of APIs, we found the sandbox environment can not provide isolation as expected. Attackers can exploit different methods for sandbox escaping and privilege escalation such as attacks against storage and network capabilities, which lead to remote code execution (RCE) and account hijacking. Additionally, we have adapted JavaScript prototype pollution for the mini-apps framework. This adaptation allows attackers to tamper with the mini-app environment logic, enabling malicious apps to invoke privileged APIs, inject parameters, and access sensitive data. This is the first instance of deploying this attack in mobile apps, with implications more severe than those in web security. The significant risks we identified impacted 9 different super-apps with over 10 billion downloads. (All of the risks have already been reported and repaired.) Through our presentation, we want to expose a new remote attack surface for mobile apps, and improve the security of super-apps to better protect billions of user privacy. By: Wei Wen | Security Engineer, IES Red Team of ByteDance Xiangyu Cao | Security Researcher, IES Red Team of ByteDance Jiangchunxi Hou | Security Researcher, IES Red Team of ByteDance Zixi Liao | Security Researcher, IES Red Team of ByteDance Yingyan Song | Security Engineer, IES Red Team of ByteDance Zhongcheng Li | Security Researcher, IES Red Team of ByteDance Yijie Zhao | Security Researcher, IES Red Team of ByteDance Bin Ma | Security Researcher, IES Red Team of ByteDance Full Abstract and Presentation Materials: https://ift.tt/Gnb8tWs
source https://www.youtube.com/watch?v=J5Jn0-FsAc8
-
Germany recalled its ambassador to Russia for a week of consultations in Berlin following an alleged hacker attack on Chancellor Olaf Scho...
-
Android’s May 2024 security update patches 38 vulnerabilities, including a critical bug in the System component. The post Android Update ...
No comments:
Post a Comment