Abstract
WebViews allow Android developers to embed a webpage within an application, seamlessly integrating native application code with HTML and JavaScript web content. While this rich interaction simplifies developer support for multiple platforms, it exposes applications to attack. In this paper, we explore two WebView vulnerabilities: excess authorization, where malicious JavaScript can invoke Android application code, and file-based cross-zone scripting, which exposes a device’s file system to an attacker.
We build a tool, Bifocals, to detect these vulnerabilities and characterize the prevalence of vulnerable code. We found \(67\) applications with WebView-related vulnerabilities (\(11\,\%\) of applications containing WebViews). Based on our findings, we suggest a modification to WebView security policies that would protect over \(60\,\%\) of the vulnerable applications with little burden on developers.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We use the term “web browser” to specifically reference a device’s default web browsing application and “WebView” to refer to developer customized views.
- 2.
Regardless, access to an application’s assets and resources (located at file:///android_asset and file:///android_res) is always granted within each application.
- 3.
Caveat: In the latest release of Android, the Android OS was modified to require developers to explicitly enable access to “file://” URLs, reducing the opportunity for attack. For applications prior to Jelly Bean and for applications that do not set the minimum OS version to Jelly Bean, access to files is still granted by default.
- 4.
We wanted to analyze both free and paid applications in order to avoid biases that might be present in free applications. Therefore, we reused an existing dataset rather than buying the applications a second time. It would be interesting to see if the results differ if we were to repeat the same experiments on current applications.
- 5.
In the rest of the section, we may shorten the phrases “WebView in the core functionality of the application” to “core WebView” or “core application” and “WebView in an ad library in the application” to “ad WebView” or “ad application.”
- 6.
The sum of the applications with core and ad WebViews exceed the \(120\) applications as some applications have both core WebViews and ad WebViews.
- 7.
Our approach also would not mitigate attacks via a XSS vulnerability (which is outside the scope of this work).
References
Adblock plus. http://adblockplus.org/
AdMarvel. http://www.admarvel.com/
Dashboards: Platform versions. http://web.archive.org/web/20130205234427/ http://developer.android.com/about/dashboards/index.html
HTTP state management mechanism RFC. http://www.rfc-editor.org/rfc/rfc6265.txt
Malware delivered by Yahoo, Fox, Google ads. http://news.cnet.com/8301-27080_3-20000898-245.html
Malware-infected WinRAR distributed through Google AdWords. http://www.zdnet.com/blog/security/malware-infected-winrar-distributed-through-google-adwords/2405
Medialets. http://www.medialets.com/
Millennial media. http://www.millennialmedia.com/
nsIContentPolicy. https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIContentPolicy
Old Habits Die Hard: Cross-Zone Scripting in Dropbox & Google Drive Mobile Apps. http://blog.watchfire.com/wfblog/2012/10/old-habits-die-hard.html
Security Enhancements in Jelly Bean. http://android-developers.blogspot.com/2013/02/security-enhancements-in-jelly-bean.html
Smali and baksmali. http://code.google.com/p/smali/
Times web ads show security breach. http://www.nytimes.com/2009/09/15/technology/internet/15adco.html
Au, K.W.Y., Zhou, Y.F., Huang, Z., Gill, P., Lie, D.: Short paper: a look at smartphone permission models. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)
Batyuk, L., Herpich, M., Camtepe, S. A., Raddatz, K., Schmidt, A., Albayrak, S.: Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications. In: Proceedings of the 6th International Conference on Malicious and Unwanted Software (MALWARE) (2011)
Chess, B., McGraw, G.: Static analysis for security. IEEE Security & Privacy. 2(6), 76–79 (2004)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the Annual International Conference on Mobile Systems, Applications, and Services (2011)
Di Lucca, G.A., Fasolino, A.R., Mastoianni, M., Tramontana, P.: Identifying cross site scripting vulnerabilities in web applications. In: Proceedings of the 6th IEEE International Workshop on Web Site Evolution (WSE) (2004)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of Android application security. In: Proceedings of the 20th USENIX Security Symposium (2011)
Endler, D.: The evolution of cross site scripting attacks. Whitepaper, iDefense Incorporation (2002)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the ACM Conference on Computer and Communications, Security (2011)
Felt, A.P., Wang, H., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: Attacks and defenses. In: Proceedings of the 20th USENIX Security Symposium (2011)
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: Automated security certification of Android applications. Technical report, University of Maryland (2009)
Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th Annual Symposium on Network and Distributed System, Security (2012)
Kanich, C., Chachra, N., McCoy, D., Grier, C., Wang, D.Y., Motoyama, M., Levchenko, K., Savage, S., Voelker, G.M.: No plan survives contact: Experience with cybercrime measurement. In: Proceedings of the 4th Conference on Cyber Security Experimentation and Test (2011)
Kim, J., Yoon, Y., Yi, K., Shin, J., Center, S.: ScanDal: Static analyzer for detecting privacy leaks in Android applications. In: Proceedings of the MoST (2012)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied, Computing (2006)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium (2005)
Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android system. In: Proceedings of the 27th Annual Computer Security Applications Conference (2011)
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: Large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the ACM Conference on Computer and Communications, Security (2012)
Paller, G.: Dedexer. http://dedexer.sourceforge.net/
Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: AdDroid: Privilege separation for applications and advertisers in Android. In: Proceedings of AsiaCCS (2012)
SC Magazine. WhiteHat: 90 percent of websites vulnerable to attack. http://www.scmagazine.com/whitehat-90-percent-of-websites-vulnerable-to-attack/article/58066/
Scandariato, R., Walden, J.: Predicting vulnerable classes in an Android application. In: Proceedings of the 4th International Workshop on Security Measurements and Metrics (2012)
Schmidt, A.-D., Bye, R., Schmidt, H.-G., Clausen, J., Kiraz, O., Yuksel, K.A., Camtepe, S.A., Albayrak, S.: Static analysis of executables for collaborative malware detection on Android. In: Proceedings of International Conference on Communications (ICC) (2009)
Stack Overflow. Developer sites contradict each other regading webview-shouldoverrideurlloading. http://stackoverflow.com/q/10865788
Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of Network and Distributed System Security Symposium (2000)
Acknowledgments
This research was supported by Intel through the ISTC for Secure Computing. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of Intel.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Chin, E., Wagner, D. (2014). Bifocals: Analyzing WebView Vulnerabilities in Android Applications. In: Kim, Y., Lee, H., Perrig, A. (eds) Information Security Applications. WISA 2013. Lecture Notes in Computer Science(), vol 8267. Springer, Cham. https://doi.org/10.1007/978-3-319-05149-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-05149-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05148-2
Online ISBN: 978-3-319-05149-9
eBook Packages: Computer ScienceComputer Science (R0)