Explore a critical security vulnerability in hybrid mobile applications that use postMessage for communication between web and native code. Dive into the concept of Origin Stripping Vulnerability (OSV) and its potential exploits, including remote microphone monitoring, data manipulation, and denial of service attacks. Learn about the systematic study conducted on OSV, the development of a detection tool called OSV-Hunter, and its evaluation on popular apps. Discover the impact on widely-used frameworks and libraries such as Facebook React Native and Google cloud print. Examine the proposed solution, OSV-Free, which introduces new postMessage APIs to mitigate the vulnerability from its root. Gain insights into the security, performance, and ease of implementation of OSV-Free, as well as its open-source availability for further exploration and application in mobile app development.
Overview
Syllabus
Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Apps
Taught by
IEEE Symposium on Security and Privacy