• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Home
  • People
  • News
  • Research
  • Publications
  • Releases
  • Resources
  • Contact Us

SUCCESS Lab

SUCCESS Lab

Texas A&M University College of Engineering

Hybrid-PostMessage & OSV-Free

INTRODUCTION

postMessage is popular in HTML5 based web apps to allow the communication between different origins. With the increasing popularity of the embedded browser (i.e., WebView) in mobile apps (i.e., hybrid apps), postMessage has found utility in these apps. However, different from web apps, hybrid apps have a unique requirement that their native code (e.g., Java for Android) also needs to exchange messages with web code loaded in WebView. To bridge the gap, developers typically extend postMessage by treating the native context as a new frame, and allowing the communication between the new frame and the web frames. We term such extended postMessage ‘hybrid postMessage’.

However, we find that hybrid postMessage introduces new critical security flaws: all origin information of a message is not respected or even lost during the message delivery in hybrid postMessage. If adversaries inject malicious code into WebView, the malicious code may leverage the flaws to passively monitor messages that may contain sensitive information, or actively send messages to arbitrary message receivers and access their internal functionalities and data. We term the novel security issue caused by hybrid postMessage ‘Origin Stripping Vulnerability’ (OSV).

To mitigate OSV from the root, we design and implement three new postMessage APIs, called OSV-Free. Our evaluation shows that OSV-Free is secure and fast, and it is generic and resilient to the notorious Android fragmentation problem.

SOURCE CODE

OSV-Free’s source code is released in github. Please check it.

PUBLICATION

Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications
Guangliang Yang, Jeff Huang, Guofei Gu, Abner Mendoza.
In Proc. of the 39th IEEE Symposium on Security and Privacy (S&P’18), San Francisco, CA, May 2018. [pdf] [bib]

What’s New?

  • Our new software-defined programmable security research “Mew” will appear in IEEE S&P’23 December 10, 2022
  • Patrick has successfully defended his PhD thesis! June 7, 2022
  • Our IoT malware analysis/detection paper won the Best Paper Award at ASIACCS’22! May 30, 2022
  • SWAPP paper (programmable web security platform) is accepted to USENIX Security’22! May 12, 2022
  • IoT malware analysis/detection paper is accepted to ASIACCS’22! February 10, 2022

© 2016–2023 SUCCESS Lab Log in

Texas A&M Engineering Experiment Station Logo
  • Opportunities
  • Prof. Gu’s Personal Website
  • Department of Computer Science & Engineering