Intrepidus Group has been doing mobile application security testing for over three years now, and during this time we’ve discovered and responsibly disclosed a number of vulnerabilities in Brew, Windows Mobile, BlackBerry, and iPhone applications. We have been contracted time after time to perform threat modeling, penetration testing, and various other security assessments on these platforms. So, as any one would expect, we were all looking forward to have a glance at Palm’s new WebOS platform.
So what vulnerabilities are we talking about? What was uncovered after a few hours of poking around? The WebOS SMS client wasn’t performing input/output validation on any SMS messages sent to the handset. This lead to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over a SMS message). We have produced a video demonstrating some of these possible attacks.
In this video a number of text messages were sent to the device. Leveraging the HTML injections, and some innate WebOS functionality, we were able to perform actions ranging from opening up a website by simply reading an SMS to turning off the hand set’s radio.
This only focuses on the SMS client of WebOS for this demonstration. The HTML injection bug may be present in a number of WebOS applications. Any app installed via the market place (even other Palm developed apps) may be vulnerable to this or other common web applications vulnerabilities. We hope that by seeing these attacks in action, WebOS application developers will know what kind of defenses they must code into their applications. We hope that by raising awareness of this threat, users will be aware of the dangers their WebOS applications can present, and that product managers will insist on security assurance testing before their offering goes live.