ABSTRACT
WebView is an essential component in both Android and iOS platforms, enabling smartphone and tablet apps to embed a simple but powerful browser inside them. To achieve a better interaction between apps and their embedded "browsers", WebView provides a number of APIs, allowing code in apps to invoke and be invoked by the JavaScript code within the web pages, intercept their events, and modify those events. Using these features, apps can become customized "browsers" for their intended web applications. Currently, in the Android market, 86 percent of the top 20 most downloaded apps in 10 diverse categories use WebView.
The design of WebView changes the landscape of the Web, especially from the security perspective. Two essential pieces of the Web's security infrastructure are weakened if WebView and its APIs are used: the Trusted Computing Base (TCB) at the client side, and the sandbox protection implemented by browsers. As results, many attacks can be launched either against apps or by them. The objective of this paper is to present these attacks, analyze their fundamental causes, and discuss potential solutions.
- Caja. http://code.google.com/p/google-caja/.Google Scholar
- Droidgap. http://www.phonegap.com.Google Scholar
- Extracting html from a webview. http://lexandera.com/2009/01/extracting-html-from-a-webview/.Google Scholar
- A tool for converting android's .dex format to java's .class format. http://code.google.com/p/dex2jar.Google Scholar
- Injecting javascript into a webview. http://lexandera.com/2009/01/injecting-javascript-into-a-webview/, 2009.Google Scholar
- Intercepting page loads in webview. http://lexandera.com/2009/02/intercepting-page-loads-in-webview/, 2009.Google Scholar
- Researchers expose android webkit browser exploit. http://www.zdnet.co.uk/news/security-threats/2010/11/08/researchers-expose-android-webkit//-browser-exploit-40090787/, November 2010.Google Scholar
- U. S. smartphone market: WhoâĂŹs the most wanted? http://blog.nielsen.com/nielsenwire/, 2011.Google Scholar
- David Barrera, H. G. üne ş Kayacik, Paul C. van Oorschot, and Anil Somayaji. A methodology for empirical analysis of permission-based security models and its application to android. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 73--84, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- D. Crockford. ADSafe. http://www.adsafe.org.Google Scholar
- W. Enck, P. Gilbert, B. G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, pages 1--6, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security, CCS '09, pages 235--245, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified, 2011.Google Scholar
- E. A. Hernandez. War of the mobile browsers. IEEE Pervasive Computing, 8:82--85, January 2009. Google ScholarDigital Library
- A. Jaaksi. Developing mobile browsers in a product line. IEEE Software, 19:73--80, 2002. Google ScholarDigital Library
- K. Jayaraman, W. Du, B. Rajagopalan, and S. J. Chapin. Escudo: A fine-grained protection model for web browsers. In Proceedings of the 30th International Conference on Distributed Computing Systems (ICDCS), Genoa, Italy, June 21--25 2010. Google ScholarDigital Library
- T. Luo and W. Du. Contego: Capability-based access control for web browsers. In TRUST'11, 2011. Google ScholarDigital Library
- S. Maffeis, J. C. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In IEEE Symposium on Security and Privacy, 2010. Google ScholarDigital Library
- D. McMahon. Learn android programming, 2011.Google Scholar
- L. A. Meyerovich and B. Livshits. Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In IEEE Symposium on Security and Privacy, pages 481--496, 2010. Google ScholarDigital Library
- M. Palviainen and T. Laakko. Mimeframe - a framework for statically and dynamically composed adaptable mobile browsers. 2006.Google Scholar
- F. Reynolds. Web 2.0-in your hand. IEEE Pervasive Computing, 8:86--88, January 2009. Google ScholarDigital Library
- S. Hashimi S. Komatineni, D. MacLean. Pro android 3, 2011. Google ScholarDigital Library
- H. Shen, Z. Pan, H. Sun, Y. Lu, and S. Li. A proxy-based mobile web browser. In Proceedings of the international conference on Multimedia, MM '10, pages 763--766, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In WWW, 2010. Google ScholarDigital Library
- Android Development Team. Webviewclient hooks list. http://developer.android.com/reference/android/webkit/WebViewClient.html.Google Scholar
- T. Vennon and D. Stroop. Threat analysis of the android market, 2010.Google Scholar
- P. Ye. Research on mobile browser's model and evaluation. Structure, pages 712--715, 2010.Google Scholar
Index Terms
- Attacks on WebView in the Android system
Recommendations
A tale of two cities: how WebView induces bugs to Android applications
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software EngineeringWebView is a widely used Android component that augments a native app with web browser capabilities. It eases the interactions between an app’s native code and web code. However, the interaction mechanism of WebView induces new types of bugs in Android ...
Web access monitoring mechanism for Android webview
ACSW '18: Proceedings of the Australasian Computer Science Week MulticonferenceIn addition to conventional web browsers, WebView is used to display web content on Android. WebView is a component that enables the display of web content in mobile applications, and is extensively used. As WebView displays web content without having ...
Vulnerabilities in Android webview objects: Still not the end!
AbstractWebView objects allow Android apps to render web content in the app context. More specifically, in Android hybrid apps (i.e., those having both Android code and web code) the web content can interact with the underlying Android ...
Comments