HybriDiagnostics: Evaluating Security Issues in Hybrid SmartHome Companion Apps

摘要

This work presents HybriDiagnostics, a vulnerability-assessment framework that identifies nine preexisting security issues in IoT companion apps built using hybrid app development frameworks. At the heart of HybriDiagnostics is an analysis engine that identifies misconfigured policies (including Content Security Policy, and whitelist), usage of inline scripts, unsafe eval() usage, unsafe HTML and JQuery APIs and attributes, unencrypted storage, usage of vulnerable Cordova SDKs and more. The results of the analyses are documented in a security assessment report.A set of 102 Apache Cordova, Ionic, Monaca, OnsenUI, Phonegap, and Framework7 smarthome apps are analyzed to identify the security issues. For each security issue, either a proofof-concept attack or a hypothetical attack scenario is presented to demonstrate how the issue can be exploited to launch a serious cyberattack against the companion IoT device or the smartphone itself and compromise user privacy.