Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Information Security Applications

WISA 2013: Information Security Applications pp 138–159Cite as

Bifocals: Analyzing WebView Vulnerabilities in Android Applications

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8267))

Abstract

WebViews allow Android developers to embed a webpage within an application, seamlessly integrating native application code with HTML and JavaScript web content. While this rich interaction simplifies developer support for multiple platforms, it exposes applications to attack. In this paper, we explore two WebView vulnerabilities: excess authorization, where malicious JavaScript can invoke Android application code, and file-based cross-zone scripting, which exposes a device’s file system to an attacker.

We build a tool, Bifocals, to detect these vulnerabilities and characterize the prevalence of vulnerable code. We found \(67\) applications with WebView-related vulnerabilities (\(11\,\%\) of applications containing WebViews). Based on our findings, we suggest a modification to WebView security policies that would protect over \(60\,\%\) of the vulnerable applications with little burden on developers.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We use the term “web browser” to specifically reference a device’s default web browsing application and “WebView” to refer to developer customized views.

  2. 2.

    Regardless, access to an application’s assets and resources (located at file:///android_asset and file:///android_res) is always granted within each application.

  3. 3.

    Caveat: In the latest release of Android, the Android OS was modified to require developers to explicitly enable access to “file://” URLs, reducing the opportunity for attack. For applications prior to Jelly Bean and for applications that do not set the minimum OS version to Jelly Bean, access to files is still granted by default.

  4. 4.

    We wanted to analyze both free and paid applications in order to avoid biases that might be present in free applications. Therefore, we reused an existing dataset rather than buying the applications a second time. It would be interesting to see if the results differ if we were to repeat the same experiments on current applications.

  5. 5.

    In the rest of the section, we may shorten the phrases “WebView in the core functionality of the application” to “core WebView” or “core application” and “WebView in an ad library in the application” to “ad WebView” or “ad application.”

  6. 6.

    The sum of the applications with core and ad WebViews exceed the \(120\) applications as some applications have both core WebViews and ad WebViews.

  7. 7.

    Our approach also would not mitigate attacks via a XSS vulnerability (which is outside the scope of this work).

References

  1. Adblock plus. http://adblockplus.org/

  2. AdMarvel. http://www.admarvel.com/

  3. Dashboards: Platform versions. http://web.archive.org/web/20130205234427/ http://developer.android.com/about/dashboards/index.html

  4. HTTP state management mechanism RFC. http://www.rfc-editor.org/rfc/rfc6265.txt

  5. Malware delivered by Yahoo, Fox, Google ads. http://news.cnet.com/8301-27080_3-20000898-245.html

  6. Malware-infected WinRAR distributed through Google AdWords. http://www.zdnet.com/blog/security/malware-infected-winrar-distributed-through-google-adwords/2405

  7. Medialets. http://www.medialets.com/

  8. Millennial media. http://www.millennialmedia.com/

  9. nsIContentPolicy. https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIContentPolicy

  10. Old Habits Die Hard: Cross-Zone Scripting in Dropbox & Google Drive Mobile Apps. http://blog.watchfire.com/wfblog/2012/10/old-habits-die-hard.html

  11. Security Enhancements in Jelly Bean. http://android-developers.blogspot.com/2013/02/security-enhancements-in-jelly-bean.html

  12. Smali and baksmali. http://code.google.com/p/smali/

  13. Times web ads show security breach. http://www.nytimes.com/2009/09/15/technology/internet/15adco.html

  14. Au, K.W.Y., Zhou, Y.F., Huang, Z., Gill, P., Lie, D.: Short paper: a look at smartphone permission models. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)

    Google Scholar 

  15. Batyuk, L., Herpich, M., Camtepe, S. A., Raddatz, K., Schmidt, A., Albayrak, S.: Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications. In: Proceedings of the 6th International Conference on Malicious and Unwanted Software (MALWARE) (2011)

    Google Scholar 

  16. Chess, B., McGraw, G.: Static analysis for security. IEEE Security & Privacy. 2(6), 76–79 (2004)

    Google Scholar 

  17. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the Annual International Conference on Mobile Systems, Applications, and Services (2011)

    Google Scholar 

  18. Di Lucca, G.A., Fasolino, A.R., Mastoianni, M., Tramontana, P.: Identifying cross site scripting vulnerabilities in web applications. In: Proceedings of the 6th IEEE International Workshop on Web Site Evolution (WSE) (2004)

    Google Scholar 

  19. Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of Android application security. In: Proceedings of the 20th USENIX Security Symposium (2011)

    Google Scholar 

  20. Endler, D.: The evolution of cross site scripting attacks. Whitepaper, iDefense Incorporation (2002)

    Google Scholar 

  21. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the ACM Conference on Computer and Communications, Security (2011)

    Google Scholar 

  22. Felt, A.P., Wang, H., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: Attacks and defenses. In: Proceedings of the 20th USENIX Security Symposium (2011)

    Google Scholar 

  23. Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: Automated security certification of Android applications. Technical report, University of Maryland (2009)

    Google Scholar 

  24. Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th Annual Symposium on Network and Distributed System, Security (2012)

    Google Scholar 

  25. Kanich, C., Chachra, N., McCoy, D., Grier, C., Wang, D.Y., Motoyama, M., Levchenko, K., Savage, S., Voelker, G.M.: No plan survives contact: Experience with cybercrime measurement. In: Proceedings of the 4th Conference on Cyber Security Experimentation and Test (2011)

    Google Scholar 

  26. Kim, J., Yoon, Y., Yi, K., Shin, J., Center, S.: ScanDal: Static analyzer for detecting privacy leaks in Android applications. In: Proceedings of the MoST (2012)

    Google Scholar 

  27. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied, Computing (2006)

    Google Scholar 

  28. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium (2005)

    Google Scholar 

  29. Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android system. In: Proceedings of the 27th Annual Computer Security Applications Conference (2011)

    Google Scholar 

  30. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: Large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the ACM Conference on Computer and Communications, Security (2012)

    Google Scholar 

  31. Paller, G.: Dedexer. http://dedexer.sourceforge.net/

  32. Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: AdDroid: Privilege separation for applications and advertisers in Android. In: Proceedings of AsiaCCS (2012)

    Google Scholar 

  33. SC Magazine. WhiteHat: 90 percent of websites vulnerable to attack. http://www.scmagazine.com/whitehat-90-percent-of-websites-vulnerable-to-attack/article/58066/

  34. Scandariato, R., Walden, J.: Predicting vulnerable classes in an Android application. In: Proceedings of the 4th International Workshop on Security Measurements and Metrics (2012)

    Google Scholar 

  35. Schmidt, A.-D., Bye, R., Schmidt, H.-G., Clausen, J., Kiraz, O., Yuksel, K.A., Camtepe, S.A., Albayrak, S.: Static analysis of executables for collaborative malware detection on Android. In: Proceedings of International Conference on Communications (ICC) (2009)

    Google Scholar 

  36. Stack Overflow. Developer sites contradict each other regading webview-shouldoverrideurlloading. http://stackoverflow.com/q/10865788

  37. Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of Network and Distributed System Security Symposium (2000)

    Google Scholar 

Download references

Acknowledgments

This research was supported by Intel through the ISTC for Secure Computing. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of Intel.

Author information

Authors and Affiliations

  1. University of California, Berkeley, USA

    Erika Chin & David Wagner

Authors
  1. Erika Chin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Wagner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Erika Chin or David Wagner .

Editor information

Editors and Affiliations

  1. KAIST, Daejeon, Korea, Republic of (South Korea)

    Yongdae Kim

  2. Korea University, Seoul, Korea, Republic of (South Korea)

    Heejo Lee

  3. CyLab Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Adrian Perrig

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Chin, E., Wagner, D. (2014). Bifocals: Analyzing WebView Vulnerabilities in Android Applications. In: Kim, Y., Lee, H., Perrig, A. (eds) Information Security Applications. WISA 2013. Lecture Notes in Computer Science(), vol 8267. Springer, Cham. https://doi.org/10.1007/978-3-319-05149-9_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05149-9_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05148-2

  • Online ISBN: 978-3-319-05149-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation