I was up in the DC area last week for the Department of Homeland Security (DHS) Software Assurance Forum. While I was there I was also fortunate enough to stop by the OWASP NoVA meeting and I gave a brief fire talk titled “Mobile Browser Content Handling”
Slides are available online here:
Most mobile platforms allow developers to register applications to handle requests that would otherwise be handled by the web browser. This allows developers to provide a richer experience than a browser on its own, but also opens up avenues for attackers. Attackers can try to subvert application behavior by seeding malicious websites with specially-crafted links intended to execute a target application with malicious parameters included in the URL. Developers should understand the situations when their applications might be executed in response to malicious web content and be sure to properly validate incoming data and request appropriate confirmation from users before performing sensitive actions.
The SANS folks have a great blog post about how this works in iOS (iPhone, iPad). Check out the slide deck for more details and I will be following up shortly with a blog post with specifics of how this works in on the Android platform.
dan _at_ denimgroup.com