Vulnerabilities in Android webview objects: Still not the end

WebView objects allow Android apps to render web content in the app context. More specifically, in Android hybrid apps (i.e., those having both Android code and web code) the web content can interact with the underlying Android framework through Java interfaces and WebViewClient objects. Thus, while...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:Computers & security Ročník 109; s. 102395
Hlavní autori: El-Zawawy, Mohamed A., Losiouk, Eleonora, Conti, Mauro
Médium: Journal Article
Jazyk:English
Vydavateľské údaje: Amsterdam Elsevier Ltd 01.10.2021
Elsevier Sequoia S.A
Predmet:
Android security
Applications programs
Hybrid applications
Inference
Interfaces
Java
Java script interfaces
JavaScript
Rendering
Security
Taint analysis
Vulnerability
Web view
Web view client
Android security
Taint analysis
Web view
Java script interfaces
Web view client
Hybrid applications
ISSN:0167-4048, 1872-6208
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:WebView objects allow Android apps to render web content in the app context. More specifically, in Android hybrid apps (i.e., those having both Android code and web code) the web content can interact with the underlying Android framework through Java interfaces and WebViewClient objects. Thus, while rendering web content a hybrid app can execute malicious Javascript code that can access the sensitive data on the device, bypassing the sandbox model usually adopted by standalone browsers. Researchers already analyzed the security issues of WebView objects, by focusing on Javascript interfaces. However, we believe that there are other aspects related to the rendering of web content in Android apps, such as WebViewClient objects, that could lead to security issues. In this paper, we introduce three new types of vulnerabilities related to WebView, that expose new attack surfaces concerning the most well-known vulnerability related to JavaScript interfaces. To detect these new types of vulnerabilities, we designed WebVSec, a static analysis system that relies on a set of custom inference rules, heuristically formalized. By designing WebVSec to detect also the vulnerability already described in the state-of-art, we were able to compare WebVSec with BabelView on a set of 2000 applications. BabelView was found not able to detect our new three types of vulnerabilities and also less precise and efficient in detecting the already known vulnerability. In particular, over the 2000 analyzed apps, WebVSec and BabelView identified 48 and 18 vulnerable apps, respectively. Among those, WebVSec found 20 apps having a specific type of vulnerabilities and 36 apps having another type of vulnerabilities, while BabelView found 11 and 0 apps, respectively. In terms of efficiency, WebVSec took 27.16 hours to analyze the whole set of 2000 applications against the 63.64 hours required by BabelView.
Bibliografia:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2021.102395