30

The Situation:

Alice uses an online banking website which stores a cookie of her credentials.

Before the cookie expires, Eve sends Alice a malicious URL which subsequently causes Alice to withdraw money from her bank account and send it to Eve.

This a common CSRF example for web applications, but how feasible is it to do this inside of a mobile application?

What if Alice uses a banking application on her phone which stores a cookie and then visits a site from Eve which has a similar outcome?

Will a cookie on Alice's mobile device from a native (or hybrid) application be vulnerable to manipulation, or are these cookies typically sand boxed on the device somehow?

I would assume cookies on iOS, Android, etc. work the same as a normal browser, but is this actually the case?

EDIT:

This question was originally meant to be generic across all mobile devices. Even something such as creating a cookie in JavaScript and then using PhoneGap or Titanium could be relevant I believe. After reading more into this, I'm also curious if compiling the JavaScript using one of these other technologies would affect native devices' cookies and how they store them.

The main point of using cookies would be to maintain credentials of the user so they wouldn't have to log out and log back in every time with their bank account. After reading more about this issue, it seems like there are different scenarios for each particular device and it is in fact possible to CSRF an application. As an example, Shared Preferences in Android are sand boxed to prevent other applications from accessing the values.

Community
  • 1
  • 1
Eric Hotinger
  • 8,957
  • 5
  • 36
  • 43
  • 1
    Applications generally don't have cookies, at least on Android. You may wish to explain, in significantly greater detail, your attack scenario. In particular, be **precise** about whether you are referring to native applications, mobile Web sites, or something else. – CommonsWare Aug 05 '13 at 17:37
  • 1
    I am talking about native applications here. I'm pretty sure you can create cookies in both iOS and Android, but I could be wrong on the latter. What makes the attack scenario confusing? Consider Alice using a banking app (native) on her phone then switching to Safari on iOS. Then she gets hit with a CSRF from browsing online - - could this take her banking app's cookies which is on the phone? – Eric Hotinger Aug 05 '13 at 17:44
  • 1
    "What makes the attack scenario confusing?" -- among other things, you have not stated how, precisely, your "banking application" is creating and using cookies. – CommonsWare Aug 05 '13 at 18:06
  • 1
    Please read my edit; I had originally meant this to be a general architecture question, hence the language agnostic and mobile tags. I did not think the exact creation or usage of the cookies was necessarily as relevant as how each platform handles the storage by default. In the case of Android, it does seem that how you create and store the cookies does matter in the attack and it can have vulnerabilities. In iOS it also seems that it is fairly sandboxed. I linked a related post by Reto Meier. – Eric Hotinger Aug 05 '13 at 18:39
  • 2
    Actually such attack can be reproduced, but only if an application uses the WebView control and developers of it have decided to add intent filter 'all urls'. But no one except browser developers add such intent filter, so this scenario is almost impossible. – vortexwolf Aug 05 '13 at 20:24

2 Answers2

25

Will a cookie on Alice's mobile device from a native (or hybrid) application be vulnerable to manipulation, or are these cookies typically sand boxed on the device somehow?

A CSRF attack involves one application: the browser. Your proposed attack involves two separate applications: the banking app and the browser.

Generally speaking, separate applications are separate. Safari does not share data with Firefox, even if both are installed on the same OS X machine. Now, there could be bugs in one or the other that might allow JS to have unfettered access to the OS filesystem and therefore allow a web site in Safari to access Firefox's data (or vice versa), but this is not really related to a CSRF.

The same thing holds for any separate applications, on any modern OS.

Even something such as creating a cookie in JavaScript and then using PhoneGap or Titanium could be relevant I believe.

Not really, any more than Safari having cookies and Firefox having cookies are somehow tied.

it is in fact possible to CSRF an application

You are welcome to provide evidence of your claims, or provide your personal definition of CSRF that would encompass scenarios like Safari attacking Firefox.

As an example, Shared Preferences in Android are sand boxed to prevent other applications from accessing the values.

Correct. This has little to do with CSRF.

In the case of Android, it does seem that how you create and store the cookies does matter in the attack and it can have vulnerabilities.

Again, you are welcome to provide evidence of your claims, or provide your personal definition of CSRF that would encompass scenarios like Safari attacking Firefox.

although physical access to the device leads to a security concern

Having teleporter technology, that would allow a CSRF to cause a mobile device to physically change its location and therefore have an impact on physical access, has yet to be developed.

Pang
  • 9,564
  • 146
  • 81
  • 122
CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
5

Web browsers and apps do not share the same cookie store, so CSRF attacks in this manner shouldn't be possible. Apps can also use a web view, but each web view has its own cookie store [1], so a CSRF attack between two apps is also not possible.

From reading this [2], it does look like it is possible to store cookies on the file system which could be used as attack vector via another app, but not via a web browser.

[1] http://developer.appcelerator.com/question/123991/cookie-sharing-between-defaultnative-browser-and-webviews-in-an-app

[2] http://developer.android.com/reference/android/webkit/CookieManager.html

Pang
  • 9,564
  • 146
  • 81
  • 122
foiseworth
  • 951
  • 2
  • 11
  • 19