Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing WebView Vulnerabilities in Android Applications

Published byClinton Hart Modified over 6 years ago

Similar presentations

Presentation on theme: "Analyzing WebView Vulnerabilities in Android Applications"— Presentation transcript:

1 Analyzing WebView Vulnerabilities in Android Applications
Erika Chin, Stephanie Rogers, and David Wagner WebView-Based Attacks Figure 1: WebView-based attack1 Example: Mobile application code: myWebView.addJavascriptInterface( new MobileClass(), “Mc”); Web application code: <script> Mc.mobileFunction(x,y,z) </script> Approach Part I: Android Application-centric analysis (Completed) Build a flow-sensitive static analysis tool to identify, for each WebView instance: Whether it can execute JavaScript Whether it allows JavaScript to invoke application code Challenge: Determine code reachability Challenge: Determine access to permissions Whether it allows users to navigate to other pages What URL it loads Introduction We will perform a large scale measurement study to determine how many Android applications may be vulnerable to malicious websites that a user may access while browsing. Android Overview WebView – Allows developers to display webpages directly in the application Pros: Allows the developer to customize the display and implement special features Cons: Could allow JavaScript to invoke application code1 Could grant websites access to system resources and data1 Approach (con’t) Part II: Website-centric analysis (In progress) Can a malicious website be displayed in the WebView? Assumption: 1st WebView is trusted unless it contains an advertisement Build a tool to determine whether a user can navigate away from a designated webpage and land on a potentially malicious third-party site: Crawl the page (mobile version) and its links Look for: Ads Links to different domains Challenges: Identifying ads Determining if a site is not of the same origin Evaluation We propose to: Run our tool on 1000 applications Manually review apps to determine: The type and severity of apps leaking data Whether devs are excessively exposing code The false positive rate of the tool The failure rate of the tool (where it cannot resolve the URL, limitations in reachability analysis, etc.) Conclusion Android developers need to be aware of these attacks when using WebViews We are working towards measuring the prevalence of these WebView-based vulnerabilities 1 Source: ”Attacks on WebView in the Android System,” T. Luo, et al., ACSAC 2011.

Download ppt "Analyzing WebView Vulnerabilities in Android Applications"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
Understanding and Detecting Malicious Web Advertising

Understanding and Detecting Malicious Web Advertising
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.
A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna.

A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
Unit 4.4 We are HTML Editors

Unit 4.4 We are HTML Editors
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.
Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual.

Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
1 Tradedoubler & Mobile Mobile web & app tracking technical overview.

1 Tradedoubler & Mobile Mobile web & app tracking technical overview.
document.location ✗ Location Hijacking Phishing.

document.location ✗ Location Hijacking Phishing.

Similar presentations

Ads by Google