Detection and Prevention of Code Injection Attacks on HTML5-Based Apps

Security on mobile devices is becoming increasingly important. HTML5 are widely used to develop mobile applications due to its portability on multi platforms. However it is allowed to mix data and code together in Web technology. HTML5-based applications are prone to suffer from code injection attacks that are similar to XSS. In this paper, at first, we introduce a more hidden type of code injection attacks, coding-based attacks. In the new type of code injection attacks, JavaScript code is encoded in a human-unreadable form. Then we use classification algorithms of machine learning to determine whether an app suffers from the code injection attack or not. The experimental result shows that the Precision of our detection method reaches 95.3%. Compare with the other method, our approach improves a lot in detection speed with the precision nearly unchanged. Furthermore, an improved access control model is proposed to mitigate the attack damage. In addition, filters are adopted to remove JavaScript code from data to prevent the attacks. The effectiveness and rationality have been validated through extensive simulations.