Google Earth, other mobile apps leave door open for scripting attacks

In the rush to create mobile apps that work across the leading smartphones and tablets, many developers have leaned heavily on web development tools and use embedded browsers as part of their packaged applications. But security researchers have shown that relying on browser technology in mobile apps—and even some desktop apps—can result in hidden vulnerabilities in those applications that can give an attacker access to local data and device features through cross-site scripting.

At today's TakeDownCon security conference in Las Vegas, researcher Kyle Osborn will present some examples of cross-site scripting attacks that he and colleagues have discovered on mobile devices. "XSS is generally considered to be a browser attack," Osborn said in an interview with Ars Technica. But many applications, he said, such as those built with cross-platform mobile-development tools like PhoneGap, use HTML rendering to handle display of data. If applications aren't properly coded, it's possible for JavaScript or other web-based attacks to be injected into them through externally-provided data. "Often, there are times when you can just make a JavaScript request and pull files from the local filesystem," he said.