KaiOS is a mobile operating system, forked from the discontinued Firefox OS, in which all the mobile applications running on a KaiOS-based mobile device are built using web technologies, such as HTML, JavaScript, and CSS. In this independent research project, we demonstrate that six of the pre-installed mobile applications are vulnerable to remote, and local, HTML injection attacks, which when combined with bypasses in the Content Security Policy can result in the abuse of privileged JavaScript APIs resulting in remote file disclosure or local privilege escalation. Additionally, we explore the security implications of both documented and undocumented JavaScript APIs in the platform and general security risks of the mobile platform.
This whitepaper may be downloaded below.