Unlike modern browsers, which enforce the same origin policy that prevents the dynamic web content of one domain from directly accessing the resources from a different domain, today’s mobile OSes do not have origin-based security policies that would control the cross-origin communications between apps, and between an app and the web, the researchers note.
"[Cross-origin] attacks are unique to mobile platforms, and their consequences are serious: for example, using carefully designed techniques for mobile cross-site scripting and request forgery, an unauthorized party can obtain a mobile user’s Facebook/Dropbox authentication credentials and record her text input," they point out.
"Mobile apps essentially play the same role as traditional web browsers at the client side. However, different from conventional web applications, which enjoy browse-level protection for their sensitive data and critical resources (e.g., cookies), apps are hosted directly on mobile operating systems (e.g., Android, iOS), whose security mechanisms (such as Android’s permission and sandbox model) are mainly designed to safeguard those devices’ local resources (GPS locations, phone contacts, etc.)," the researchers explained. "This naturally calls into question whether the apps’ web resources are also sufficiently protected under those OSes."
During their research, they came across five separated cross-origin issues in popular SDKs (software development kits) and high-profile apps such as Facebook and Dropbox - and they discovered that they can be easily exploited to steal users’ authentication credentials and other confidential information.
They also concluded that fixing cross-origin flaws would be difficult for app developers, and that origin-based protection must be supported by the OS. In order to prove their point, they designed a protection mechanism they dubbed "Morbs", which "labels every message with its origin information, lets developers easily specify security policies, and enforce the policies on the mobile channels based on origins."