Abstract
To make it easy for applications to interact with the Web, most mobile platforms, including Android, iOS, and Windows Phone, provide a mechanism that allows applications to embed a small but powerful browser component inside. This mechanism is called WebView in Android (it is called different names in other platforms). WebView implements a number of APIs that can be used by applications to interact with the web contents inside WebView. It has been pointed out by the previous work that malicious applications can use these APIs to attack the web contents inside WebView. Proposals are made by the previous work to fix the problems of those APIs. We have discovered that by fixing those APIs, WebView is still not secure. This is because the previous work only focuses on the APIs specifically designed for WebView; they have overlooked the APIs that WebView inherits from its super classes. These APIs are designed for the general-purposed user interface (UI) components, and they seem to pose no risk to those components; however, the combination of these APIs with the Web has led to new risks. We have identified several attacks based on these APIs. Our attacks are called Touchjacking attacks. They treat WebView as a blackbox, i.e., they do not use the APIs that are designed specifically for WebView; instead, they only use the inherited APIs. Through these APIs, malicious applications can attack the web contents inside WebView. The impact of the attacks is quite significant, as all the platforms that we have studied, including Android, iOS, and Windows Phone, are vulnerable to these attacks.
The project was supported by the Google Research Award and the NSF Award No. 1017771.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Android-Team. Webview class reference, http://developer.android.com/reference/android/webkit/WebView.html
Close, T.: The confused deputy rides again! (2008), http://waterken.sourceforge.net/clickjacking/
Felt, A., Wagner, D.: Phishing on mobile devices. In: Web 2.0 Security and Privacy (2011)
Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: Proceedings of the 2nd USENIX Conference on Web Application Development, WebApps 2011, Berkeley, CA, USA, p. 7 (2011)
Firefox. The x-frame-options response header, https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
Hansen, R.: Clickjacking, http://ha.ckers.org/blog/20080915/clickjacking/
Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the android system. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 343–352. ACM (2011)
Luo, T., Jin, X., Du, W.: Mediums: Visual integrity preserving framework. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013 (2013)
Niemietz, M.: Ui redressing: Attacks and countermeasures revisited. In: CONFidence 2011 (2011)
Niu, Y., Hsu, F., Chen, H.: iphish: phishing vulnerabilities on consumer electronics. In: Proceedings of the 1st Conference on Usability, Psychology, and Security, pp. 10:1–10:8. USENIX Association, Berkeley (2008)
Ruderman, J.: Bug 154957 - iframe content background defaults to transparent (2002), https://bugzilla.mozilla.org/show_bug.cgi?id=154957
Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In: IEEE Oakland Web 2.0 Security and Privacy (2010)
Rydstedt, G., Gourdin, B., Bursztein, E., Boneh, D.: Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, pp. 1–8. USENIX Association (2010)
Sophos. Facebook worm - likejacking (2010), http://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/
Stone, P.: Next generation clickjacking (2010)
Zalewski, M.: Browser security handbook (2008), http://code.google.com/p/browsersec/wiki/Part2
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Luo, T., Jin, X., Ananthanarayanan, A., Du, W. (2013). Touchjacking Attacks on Web in Android, iOS, and Windows Phone. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds) Foundations and Practice of Security. FPS 2012. Lecture Notes in Computer Science, vol 7743. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37119-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-37119-6_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37118-9
Online ISBN: 978-3-642-37119-6
eBook Packages: Computer ScienceComputer Science (R0)