Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
LEA: A 128-Bit Block Cipher for Fast Encryption on Common Processors Kapitel lesen Erstes Kapitel lesen

2014 | OriginalPaper | Buchkapitel

Bifocals: Analyzing WebView Vulnerabilities in Android Applications

verfasst von : Erika Chin, David Wagner

Erschienen in: Information Security Applications

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

WebViews allow Android developers to embed a webpage within an application, seamlessly integrating native application code with HTML and JavaScript web content. While this rich interaction simplifies developer support for multiple platforms, it exposes applications to attack. In this paper, we explore two WebView vulnerabilities: excess authorization, where malicious JavaScript can invoke Android application code, and file-based cross-zone scripting, which exposes a device’s file system to an attacker.
We build a tool, Bifocals, to detect these vulnerabilities and characterize the prevalence of vulnerable code. We found \(67\) applications with WebView-related vulnerabilities (\(11\,\%\) of applications containing WebViews). Based on our findings, we suggest a modification to WebView security policies that would protect over \(60\,\%\) of the vulnerable applications with little burden on developers.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Punobot: Mobile Botnet Using Push Notification Service in Android
Nächstes Kapitel We Are Still Vulnerable to Clickjacking Attacks: About 99 % of Korean Websites Are Dangerous
Fußnoten
1
We use the term “web browser” to specifically reference a device’s default web browsing application and “WebView” to refer to developer customized views.
 
2
Regardless, access to an application’s assets and resources (located at file:///android_asset and file:///android_res) is always granted within each application.
 
3
Caveat: In the latest release of Android, the Android OS was modified to require developers to explicitly enable access to “file://” URLs, reducing the opportunity for attack. For applications prior to Jelly Bean and for applications that do not set the minimum OS version to Jelly Bean, access to files is still granted by default.
 
4
We wanted to analyze both free and paid applications in order to avoid biases that might be present in free applications. Therefore, we reused an existing dataset rather than buying the applications a second time. It would be interesting to see if the results differ if we were to repeat the same experiments on current applications.
 
5
In the rest of the section, we may shorten the phrases “WebView in the core functionality of the application” to “core WebView” or “core application” and “WebView in an ad library in the application” to “ad WebView” or “ad application.”
 
6
The sum of the applications with core and ad WebViews exceed the \(120\) applications as some applications have both core WebViews and ad WebViews.
 
7
Our approach also would not mitigate attacks via a XSS vulnerability (which is outside the scope of this work).
 
Literatur
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Au, K.W.Y., Zhou, Y.F., Huang, Z., Gill, P., Lie, D.: Short paper: a look at smartphone permission models. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)
15.
Batyuk, L., Herpich, M., Camtepe, S. A., Raddatz, K., Schmidt, A., Albayrak, S.: Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications. In: Proceedings of the 6th International Conference on Malicious and Unwanted Software (MALWARE) (2011)
16.
Chess, B., McGraw, G.: Static analysis for security. IEEE Security & Privacy. 2(6), 76–79 (2004)
17.
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the Annual International Conference on Mobile Systems, Applications, and Services (2011)
18.
Di Lucca, G.A., Fasolino, A.R., Mastoianni, M., Tramontana, P.: Identifying cross site scripting vulnerabilities in web applications. In: Proceedings of the 6th IEEE International Workshop on Web Site Evolution (WSE) (2004)
19.
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of Android application security. In: Proceedings of the 20th USENIX Security Symposium (2011)
20.
Endler, D.: The evolution of cross site scripting attacks. Whitepaper, iDefense Incorporation (2002)
21.
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the ACM Conference on Computer and Communications, Security (2011)
22.
Felt, A.P., Wang, H., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: Attacks and defenses. In: Proceedings of the 20th USENIX Security Symposium (2011)
23.
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: Automated security certification of Android applications. Technical report, University of Maryland (2009)
24.
Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th Annual Symposium on Network and Distributed System, Security (2012)
25.
Kanich, C., Chachra, N., McCoy, D., Grier, C., Wang, D.Y., Motoyama, M., Levchenko, K., Savage, S., Voelker, G.M.: No plan survives contact: Experience with cybercrime measurement. In: Proceedings of the 4th Conference on Cyber Security Experimentation and Test (2011)
26.
Kim, J., Yoon, Y., Yi, K., Shin, J., Center, S.: ScanDal: Static analyzer for detecting privacy leaks in Android applications. In: Proceedings of the MoST (2012)
27.
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied, Computing (2006)
28.
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium (2005)
29.
Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android system. In: Proceedings of the 27th Annual Computer Security Applications Conference (2011)
30.
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: Large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the ACM Conference on Computer and Communications, Security (2012)
31.
32.
Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: AdDroid: Privilege separation for applications and advertisers in Android. In: Proceedings of AsiaCCS (2012)
33.
34.
Scandariato, R., Walden, J.: Predicting vulnerable classes in an Android application. In: Proceedings of the 4th International Workshop on Security Measurements and Metrics (2012)
35.
Schmidt, A.-D., Bye, R., Schmidt, H.-G., Clausen, J., Kiraz, O., Yuksel, K.A., Camtepe, S.A., Albayrak, S.: Static analysis of executables for collaborative malware detection on Android. In: Proceedings of International Conference on Communications (ICC) (2009)
36.
37.
Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of Network and Distributed System Security Symposium (2000)
Metadaten
Titel
Bifocals: Analyzing WebView Vulnerabilities in Android Applications
verfasst von
Erika Chin
David Wagner
Copyright-Jahr
2014
Buch
Information Security Applications

Print ISBN: 978-3-319-05148-2

Electronic ISBN: 978-3-319-05149-9

Copyright-Jahr: 2014

DOI
https://doi.org/10.1007/978-3-319-05149-9_9