A survey on Code Injection Attacks in Mobile Cloud Computing Environment

O. S. Jannath Nisha
S. Mary Saira Bhanu
Department of Computer Science and Engineering
Department of Computer Science and Engineering
National Institute of Technology,
National Institute of Technology,
Tiruchirappalli-620 015, India
Tiruchirappalli-620 015, India
406115006@nitt.edu
msb@nitt.edu

Abstract— Mobile Cloud Computing is a combination of Mobile

Computing, Cloud Computing and wireless networks to convey mobile applications are built to overcome these challenges.
rich computational resources to mobile users, network operators, The characteristics of these apps are:
as well as cloud computing providers. Nowadays, the market of
mobile devices and its applications are growing at an alarming  Use of HTML5 and CSS to describe the user
speed.In general, single application for a specific purpose is not interface.
compatible to different operating systems. So the developer has  Use of JavaScript to build the programming logic.
to develop various versions of application which is compatible to
 Running in browser environments e.g., Webview of
different platforms. In order to overcome the drawback of
compatibility and interoperability issues, HTML5-based mobile Android and UIWebView of ios.
applications are built by using standard web technologies.  Apps can be easily ported from one platform to
HTML5-based mobile applications support same version of another.
application in different platforms, but these applications are  Use of middleware frameworks such as PhoneGap to
vulnerable to attacks because of the data and code being fused access system resources like camera, GPS etc.
together. A new form of Code Injection Attack found in this type
of mobile applications inherits the property of XSS attack and
also uses many channels to inject malicious code such as Contact, Due to their cross-platform support, 75% of the developers
SMS, WIFI, NFC, Barcode etc. This allows the attacker to inject use HTML5 for application development. As a result, these
malicious code to exhaust all the resources of the victim. technologies brought new security challenges to all major
Therefore, security is the major issue which impedes the mobile platforms. One of the security threats is Code Injection
development of Mobile Cloud Computing. This paper surveys attack. In this attack, the attackers can inject some malicious
the malicious code injection attacks in Mobile Cloud Computing code in the input field that is executed by the application to
environment and the possible solutions. get unauthorised access. Code injection attacks are possible
due to the insufficient input validation. There are many
Keywords—Mobile Cloud Computing; Code Injection attack;
possible channels for such attacks in mobile devices e.g.,
HTML5-based mobile applications; Cross-site scripting attacks;
Sanitization technique Contacts, SMS, File Systems, NFC, and Camera. The injected
code in mobile apps is more dangerous compared with
I. INTRODUCTION traditional web apps. This survey is to discuss in detail about
the existing solutions on Code Injection Attacks.
Cloud Computing has emerged as one of the prominent
technologies that offers on-demand services (CPU, network The rest of the paper is organised as follows: Section II gives
bandwidth, memory, storage, applications etc.,) to the users by a concise description of MCC, and its architecture. Section III
allocating virtual instances and software services. The increase describes MCC security issues. Next, the attack surfaces in
in usage of mobile devices viz., Smartphone's, tablets etc., MCC are outlined in Section IV. The code injection attacks
require more resources for storage and computation. Mobile and its countermeasure are described in Section V. Finally,
devices support the functionalities such as powerful Section VI concludes the survey of XSS attacks in MCC
processors, gorgeous display, HD camera, sensors and environment.
millions of powerful applications, which have some
drawbacks such as miniature nature, lightness and mobility II. MOBILE CLOUD COMPUTING
triads. Especially, mobile devices require faster CPU, larger A. Definition
size of RAM, extensive disk storage and long lasting battery
for performing mobile applications such as speech Mobile Cloud Computing is an environment that brings
recognition, NLP, video streaming applications etc. To abundant computational and storage resources to mobile
execute these applications, cloud provides the services to the devices, network providers, and cloud service providers.
user in Mobile Cloud Computing (MCC) environment. B. Architecture of Mobile Cloud Computing
Mobile devices use operating systems like Android, Symbian, The mobile devices can access cloud services either through
ios etc., which may not support to run single application in all satellite or through access points. The schematic
platforms. So the developers have to develop different representation of MCC is illustrated in Fig.1. The mobile
applications for different platforms like using java for networks connect mobile devices through Base Transceiver
Android, and Objective C for ios. Nowadays, HTML5-based Station (BTS), access point or satellite. Whenever user

978-1-5386-1719-9/18/$31.00 ⃝c 2018 135

IEEE
requests for a service, the request will be processed by the 2) Security for mobile applications: The resource
cloud server. The network operator provides Authentication, constrained mobile device is susceptible to security threats,
Authorisation and Accounting (AAA) services to the user. though they have anti-virus software present in it.
The user's request is conveyed to the cloud with the help of
the Internet. In cloud, the cloud controller delivers the B.2 Securing Data on Clouds: Mobile clients and
relevant cloud service depending upon the request. developers store an enormous number of data and
applications in the cloud. Concealment, reliability and
validation are the main elements to secure the information.
IV. ATTACK SURFACE IN MCC
Cloud
Satellite
Computing
An attack surface includes all the points in the software
Interne
t
Cloud
Controller
Database environment through which an adversary or unauthorized
Server
WiFi/3G/
4G
Access Point users can try to gain access to a system and cause damage to
Central Processor
Email
the environment. Fig.2 depicts the taxonomy of attacks in
Mobile Network
Services Server cloud.
Base Transceiver Station

Mobile A. Attack surface in SaaS model

Devices Network Operator
Application Web applications are dynamic services in MCC that pull data
Fig.1. MCC Architecture
Server
from various servers in a cloud distributed environment. So,
the attackers can insert malicious code into the web page by
III. ISSUES IN MCC using the script. Once these scripts get executed on the
The MCC issues [6] are categorized based on technical browser, they cause undesirable actions.
aspects and security. B. Attack surface in PaaS model
A. Technical Issues PaaS is responsible for providing the software execution
environment to their customers without buying servers,
The majority of the technical issues are categorized based storage and networks. The responsibility is to implement
on mobile computation and computing strong encryption techniques to provide services to their
A.1 Mobile Communication Side customers without disruption. In this way, the responsibility is
to secure runtime engines from the attackers. Multi-Tenancy
1) Low Bandwidth: MCC requires high bandwidth for is another major attack vector in this model. The PaaS model
transformation Radio resource, used for wireless allows multiple users to access cloud services at the same
networks, which has insufficient bandwidth for time, thus a malicious user can have multiple ways of
transfer. interfering and disrupting the normal execution of the PaaS
2) Availability: Mobile clients cannot access the cloud container.
to attain service due to heavy network traffic, network
failures and mobile signal strength problems. C. Attack surface in IaaS model
3) Heterogeneity: Heterogeneity in mobile devices, In cloud virtualization technology, the Virtual Machine
cloud service providers and wireless network Monitor (VMM) is the middleware layer between the OS and
technologies are the complicated problems in MCC hardware which creates and runs several different virtual
environment. machines on a single piece of computer hardware. This
technology is used to create APIs in order to perform
A.2 Computing Side administrative operations. Therefore the VMM increases the
1) Computation Offloading: MCC can improve the attack surface.
battery lifetime and increase the performance of
V. CODE INJECTION ATTACKS
applications. It is difficult to decide whether to offload
an entire app or parts of the application. Code Injection [8] is a type of attack in which the attackers
can inject some malicious code in the input field that is
B. Security Issues in MCC executed by the application to get unauthorised access. These
B.1 Issues for Mobile Users: type of attacks occur while inserting a malicious JS code into
1) Mobile devices are overwhelmed through various a HTML document through un-trusted data [29], [30], [31]
attacks such as code injection attack, DDOS attack, and which leads to session hijacking, botnet spreading etc. So,
authentication attack. Moreover, Global Positioning improper sanitization and inappropriate input/output data
System (GPS) enabled mobile device creates several validation pave the way for such attacks. Hence, input
privacy issues to the mobile user. validation and malicious script sanitization are the most
effective mechanism for alleviating the effect of XSS attacks.

2 2018 8th International Conference on Cloud Computing, Data Science & Engineering (Confluence)
 Stepping-Stone Attack user's machine. Code injection attack on mobile application is
shown in Fig.3
Malicious Insiders
Contacts

Cross VM Attacks
Calender
IaaS Attacks Internal Code
Return Oriented Injection
Channels SMS
VM Rollback
Code
Injection File System
Programming Attack
Attacks
on
Website(XSS)
Phishing Attack HTML5
-based
Password Reset Attack Mobile MP3
Attack
PaaS Attacks Apps
Surface on
service Man-in-the-Middle Attack
External Code Wi-Fi
delivery Injection
model Cloud Malware Injection Channels
Attack Bluetooth

Barcode
Distributed Denial
of Service attack

Authentication Attack
Fig.3 Code Injection Attacks
XML Signature Wrapping
SaaS Attacks
Attack HTML5-based [11] apps are prone to wider attack surface than
web apps. Code injection attack acquires the primary cause of
SQL injection Attack
XSS and it uses external and internal channels to insert code.
Cross-Side-Scripting Mobile devices have many channels through which attack can
Attack happen such as Contact, SMS, Barcode, MP3, Wi-Fi access
Fig.2 Taxonomy of Attacks on Cloud Service Delivery Models points, Calendar, and Bluetooth. Fig.4 shows the XSS attack on
web applications.

Due to its portability on various platforms, HTML5 is used to Web

develop mobile applications. HTML5 applications are Content
vulnerable to code injection attacks which are similar to XSS. Data
Attacker
The standard web technologies like HTML5, JavaScript and
CSS are used to create HTML5-based apps. Code Injection Victim Device Code
Attacks occur in HTML5-based mobile apps through various Web Browser
channels. Most of the mobile OS do not support JavaScript
and HTML. To execute JavaScript code and display user Display Web
Content
interface, a web browser component called WebView is
Data Code
embedded in an app. WebView [12] in Android directly allows Data
to display content in mobiles from the web.
Code
In Cross-Site Scripting (XSS) [10] attacks, malicious scripts Render JavaScript Web Site
Machine Engine
are injected into the reliable websites. An attacker can send a
malicious script to a victim's browser which will execute the
malicious script. Then it can access sensitive information
reserved by the browser and also changes the content of the Fig.4 XSS attack on Web Application
HTML page. In addition, numerous mobile websites are
vulnerable to this type of attacks.
A. Existing Detection Solutions for Code Injection Attack
The browser can execute the malicious contents available in
the form of JavaScript, HTML, Flash, and CSS. XSS attacks The existing solutions for code injection attack are described
are unlimited and can transmit only personal data to the here.
attacker and directing the user to another web page guarded by Atul S. Choudhary proposed [8] code injection detection Tool
the attacker, or performing other harmful operations on the (CDIT) using a Proxy Agent. The agent separates the request
as script request and query request. Two modules used are

2018 8th International Conference on Cloud Computing, Data Science & Engineering (Confluence) 137
Query Detector and Script Detector. The client sends the both
The same authors in [23] proposed a server side code injection
modules. First, the Query detector endorses only the valid
technique that inserts comment statements consisting of tokens
requests and they are passed on to the next module. The Script
generated randomly and features of virtuous JavaScript code.
detector filters the invalid tags and the HTML content before
This approach detects only a part of code injection attack.
forwarding it to the web server to prevent SQL and XSS
There is no automated process in JavaScript parser to remove
attack. The disadvantage of this approach is that it requires
the preprocessing techniques such as command tags and return
more time to respond.
keyword in event handlers.
Mukesh Kumar et al., [16] presented static analysis techniques
Martin et al., [24] presented a solution to fracking attacks,
to explore SQL Injection and XSS vulnerabilities available in
NOFRAK, which prevents untrusted foreign-origin web
web application's source code. The aim of this technique is to
content to access device resources directly. It requires no
find the vulnerable nature present in source code before it can
changes to the existing hybrid app's code but modifies the
be exploited in real time application. Takeshi Matsuda et al.,
PhoneGap framework. A third-party app can load web content
[17] proposed a detection algorithm to extract an attack feature but cannot access local resources on the device. This method
of XSS by taking into account the frequency of symbols and its limits the privilege of untrusted code and blocks them to access
position. The main shortcomings are calculation based, given sensitive local resources.
the suitable threshold value and it does not determine the
unknown attacks efficiently.
Gupta Sand Gupta BB [25] proposed a server-side automated
framework, XSS-SAFE (Cross-Site Scripting Secure Web
Andrea Avancini et al., [18] resorted to search based security Application FramEwork) which is designed for detection and
testing of web applications. The author used static analysis prevention of XSS attacks. This technique discovers the XSS
technique to search cross-site scripting attacks by using a attack vectors in the HTTP response messages by injecting the
genetic algorithm. Generation of test cases depend on static features of benign JavaScript code and randomly generated
analysis, but it experiences many limitations such as high false tokens. After the successful detection of injected XSS attack
negative rate and high false positive. Here the genetic vectors sanitizers are automatically placed in the JS code. Then
algorithm uses less number of iterations to save time on the HRES message will be sent to the web browser without any
infeasible paths. Cao et al., [19] developed a tool called Path malicious JavaScript code. The precision of extorted
cutter, which blocks the propagation of unsafe JavaScript API characteristics of JavaScript cannot be guaranteed.
through XSS vulnerabilities by dynamic analysis. The
limitation perceived from this method is rendering latency at
The same authors in [26] also introduced JS-SAN (JavaScript
the Web browser. Chandra et al., [20] proposed BIXSAN
SANitizer) method to mitigate JS code injection vulnerabilities
techniques which takes some sample scripts from XSS cheat
using an injection and clustering sanitization framework. To
sheet and filters out the harmful content and converts the rest
produce a compressed template of JS attack vector, JS-SAN
of the HTML content into Document Object Model (DOM).
performed clustering on the extracted JS attack vector
payloads. JS-SAN injected the sanitizer on the compressed
Gundy et al., [21] presented a mechanism called Noncespaces template in the JS code of web applications automatically.
that randomizes the (X)HTML tags and its characteristics to
detect and alleviate inserted harmful script in all documents
Table 1 provides a summary of several related techniques on
before transferring it to the browser. This mechanism is used to
the detection of XSS attacks on HTML5 -based apps. The first
remove malicious content in the web browser and restricts the
column highlights the topics of the different related work. The
untrusted content from changing the DOM tree. Due to the
second and third column emphasizes the pros and cons to
unpredictability of the randomized tags the attackers produce
identify the research gaps.
parsing faults when they try to insert the perfect delimiters in
the untrusted content to sever the containing node. VI. CONCLUSION
This paper reviews mobile cloud computing technology that
Shaihriaret et al., [22] proposed a method to detect the attacks
provides services to mobile devices through cloud
at the server. This technique follows the concept of boundary
environment. The main emphasis of this survey is to study
injection to enclose dynamic-generated content and policy
about the different channels of code injection attacks. XSS
generation to confirm the data. It is developed on the concept
attack is applicable to code injection attack through only one
of boundary injection to encapsulate dynamic-generated
channel for web based applications where in mobile
content and policy generation to validate the data. The
applications, the code injection is performed through many
boundary injection method identifies legitimate features such
channels. So, in order to overcome the above challenges,
as HTML tags, java script content that are analyzed in HTTP
number of solutions has been taken into consideration for the
response page to detect the XSS attacks. This approach takes
time in performing the policy checks and thus degrading the detection of scripting attacks. The existing contemporary
performance in detecting attack capabilities. techniques are not effective in identification of XSS attacks.

138 2018 8th International Conference on Cloud Computing, Data Science & Engineering (Confluence)
Similarly, some of the techniques are infeasible in reality since many new channels are exploited along with the development
they could not handle all channels of attack. The existing of mobile devices to inject malicious code. Hence, it is
solutions concentrate only on the known injection channels but necessary to provide detection mechanism to accomplish

Table 1: Summary of Code Injection Attacks

Sl.No Existing Solution Pros Cons
1. NonceSpaces: uses Avoids all the troubles and Does not provide any defensive
randomization technique to obscurity occurs with sanitization. mechanism regarding inserted
enforce information flow It can detect only stored and JavaScript code downloaded from
tracking and thwart XSS attacks reflected XSS attacks. remote web site.
[21]
2. S2XS2: a server side approach to Its main strength lies on the It consumes more time
automatically detect XSS attacks concept of „„boundary injection'' to
It degrades the attack detection
[22] generate dynamic content and
capability
„„policy generation'' to validate the
user-injected data.
3. Injecting comments to detect Its strength is to discover the XSS It detects only the part of the code
JavaScript code injection attacks attacks by inserting the comment for detection
[23] statements. The Statement contains
random tokens and characteristics
of benign JavaScript code
4. Path Cutter[19]: Path Cutter blocks the transmission This tool cannot block the
path of XSS worms by restricting propagation of Drive-by Download
the DOM access and obstructs the worms.
illicit HTTP Web requests.
It fails to jam the exploitation of
Phishing and Click-Jacking Attacks
5. BIXSAN[20]: HTML parse tree producer is used It cannot detect the dynamic attack
to diminish the inconsistent since it uses the static code for
performance of web browser as detection.
well as for the recognition of static
script tags.
6. XS-SAFE[26] This method can filter out Accuracy of the extracted features
untrusted code based on feature cannot be assured.
statement. Next, sanitizers are
Some manual interference is
placed perfectly in the appropriate
required for training the model.
place.
No modification is required at High runtime overhead.
client/server side framework. Very difficult to place the sanitizers
in the affected source code
7. JS-SAN[27] First the method compresses the Complex to collect and compress the
attack vectors and places the attack vectors.
sanitizer only on the compressed
template of attack vectors.
Reduce runtime overhead.
High detection capability.

2018 8th International Conference on Cloud Computing, Data Science & Engineering (Confluence) 139
security against code injection. Meta-heuristics algorithms can [19] Cao.Y,Yegneswaran,.V, Possas,.P, and Chen,“Pathcutter: severing the
be used for feature selection and various classification models self-propagation path of xssjavascript worms in social web networks,”
can be used to enhance the classification accuracy and reduce In: Proceedings of the 19thNetwork andDistributed System Security
the number of features extracted from the combination of static Symposium (NDSS), San Diego, CA, USA (2012).
and dynamic techniques. [20] Chandra.V.S, and Selvakumar. S, “Bixsan: browser independent XSS
sanitizer for prevention of XSS attacks,”ACM SIGSOFT Softw. Eng.
Notes 36(5), 1 (2011).
REFERENCES
[21] Gundy.MV, and Chen.H, “Noncespaces:using randomization to defeat
[1] M. Jensen, J. Schwenk, N. Gruschka, and L. L. Iacono, "On Technical cross-site scripting attacks,” Computer Security 31(4):612–628(2012).
Security Issues in Cloud Computing," in PROC IEEE ICCC,
[22] Shaihriar.H, andZulkernine.M, “ S2XS2: a server side approach to
Bangalore,
pp. 109-116, 2009. automatically detect XSS attacks,” In: Ninth international conference
on dependable, automatic secure computing. IEEE, pp 7–17 (2011a)
[2] Z. Sanaei, S. Abolfazli, A. Gani, and R. Buyya, “Heterogeneity in
[23] Shaihriar.H,andZulkernine. M, “ Injecting comments to detect
Mobile Cloud Computing: Taxonomy and Open Challenges,” IEEE
JavaScript code injection attacks,” In: Proceedings of the 6 th IEEE
Communications Surveys and Tutorials, vol. 16, no. 1, pp.369-392,
workshop on security, trust, and privacy for software applications,
2014.
Munich, Germany, pp 104–109(2011b).
[3] http://www.mobilecloudcomputingforum.com/.
[24] Martin Georgiev, Suman Jana, and Vitaly Shmatikov. “Breaking and
[4] N. Fernando, S. W. Loke, and W. Rahayu, “Mobile cloud computing: fixing origin-based access control in hybrid web/mobile application
A survey,” Future Generation Computer Systems, vol. 29, no. 1, pp.
frameworks,” 2014.
84– 106, 2013.
[25] X. Jin, L. Wang, T. Luo, and W. Du. “Fine-Grained Access Control for
[5] H. T. Dinh, C. Lee, D. Niyato, and P. Wang, “A survey of mobile
HTML5-Based Mobile Applications in Android,” In Proceedings of
cloud computing: Architecture, applications, and approaches,”
Wireless Communicationsand Mobile Computing, (2013. the 16th Information Security Conference (ISC) , 2013
[6] Hazarika, Pinku, VinodBaliga, and SeshubabuTolety, "The mobile- [26] Gupta, Shashank, and B. B. Gupta. "XSS-SAFE: a server-side
cloud computing (MCC) roadblocks," Eleventh International approach to detect and mitigate cross-site scripting (XSS) attacks in
Conference on Wireless and Optical Communications Networks JavaScript code."Arabian Journal for Science and Engineering 41.3
(WOCN), 2014. (2016): 897-
920.
[7] A. N. Khana, M. L. M. Kiaha, S. U. Khanb and S. A. Madanic,
"Towards secure mobile cloud computing: A survey," Future [27] Gupta, Shashank, and Brij Bhooshan Gupta. "JSǦ SAN: defense
Generation Computer Systems, vol. 29, Issue 5, 2013. mechanism for HTML5Ǧ based web applications against javascript
code injection vulnerabilities."Security and Communication Networks
[8] Atul S. Choudhary and M.L Dhore, “CIDT: Detection Of 9.11 (2016): 1477-1495.
MaliciousCode Injection Attacks On Web Application,”International
Journal Of Computing Applications, Vol.-52-N0.2, PP. 19-25 (2012). [28] Gupta, Shashank, and B. B. Gupta. "Enhanced XSS Defensive
Framework for Web Applications Deployed in the Virtual Machines of
[9] HTML5. http://en.wikipedia.org/wiki/HTML5 Cloud Computing Environment."Procedia Technology 24 (2016): 1595-
[10] X. Jin, T. Luo,D. Tsui, and W. Du, “Code injection attacks on 1602.
HTML5- based mobile apps,” In MoST, (2014). [29] Gupta, Shashank, and Brij Bhooshan Gupta. "PHP-sensor: a prototype
[11] Jin. X, Hu .X, and Ying. K, “Code injection attacks on HTML5-based method to discover workflow violation and XSS vulnerabilities in PHP
mobile apps: Characterization, detection and mitigation,” Proceedings web applications."Proceedings of the 12th ACM International
of the 2014 ACM SIGSAC Conference on Computer and Conference on Computing Frontiers. ACM, 2015.
Communications Security. ACM, pp.66-67(2014). [30] Gupta, B. B., et al. "Cross-site scripting (XSS) abuse and defense:
[12] WebView, https://developer.android.com/reference/android/webkit/Web exploitation on several testing bed environments and its
View.html. defense."Journal of Information Privacy and Security 11.2 (2015):
118-
[13] P. Sharma, R. Johari, and S. S. Sarma, “Integrated approach to prevent
136.
SQL injection attack and reflected crosssite scripting attack,”
International Journal of System Assurance Engineering and [31] Gupta, Shashank, and Brij Bhooshan Gupta. "Cross-Site Scripting
Management, vol. 3, no. 4, pp.343-351(2012). (XSS) attacks and defense mechanisms: classification and state-of-the-
art."International Journal of System Assurance Engineering and
[14] Xi Xiao, Ruibo Yan, Runguo Ye, Qing Li, SanchengPeng, and Yong
Management 8.1 (2017): 512-530.
Jiang , “Detection and Prevention of Code Injection Attacks on
HTML5- based Apps,” Third International Conference on Advanced
Cloud and Big Data(2015).
[15] Guowei Dong , Yan Zhang, Xin Wang, Peng Wang, and Liangkun Liu,
“Detecting Cross Site Scripting Vulnerabilities Introduced by
HTML5,” 11th International Joint Conference on Computer Science
and Software Engineering (2014).
[16] Mukesh Kumar Gupta, “Static Analysis Approaches to Detect SQL
Injection and Cross Site Scripting Vulnerabilities in Web
Applications: A Survey,”IEEE International Conference on Recent
Advances and Innovation in Engineering(ICRAIE-2014) ,
Jaipur(2014).
[17] Takeshi Matsuda, “Cross Site Scripting Attacks Detection Algorithm
Based on the Appearance Position of Characters,”The 5th International
Conference on Communications, Computers and Applications (MIC-
CCA2012); Istanbul, Turkey(2012).
[18] Andrea Avancini, andMariano, “Security Testing of Web Applications:
a Search Based Approach for Cross-Site Scripting Vulnerabilities,”
11th IEEE International Working Conference on Source Code
Analysis and Manipulation(2011).

140 2018 8th International Conference on Cloud Computing, Data Science & Engineering (Confluence)