Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna.

Published byJulian Allen Modified over 9 years ago

Similar presentations

Presentation on theme: "A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna."— Presentation transcript:

1 A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna

2 The big picture

3 Hundreds of thousands of vulnerable apps

4 Definitions

5 A Large-Scale Study of Mobile Web App Security

6

7 A mobile web app is… … an app that embeds a fully functional web browser as a UI element.

8 A Large-Scale Study of Mobile Web App Security

9 1,172,610 Android apps

10 998,286 w/ WebViews

11 A Large-Scale Study of Mobile Web App Security

12

13 1.Loading untrusted web content 2.Leaking URLs to foreign apps 3.Exposing state changing navigation to foreign apps

14 1.Loading untrusted web content 2.Leaking URLs to foreign apps 3.Exposing state changing navigation to foreign apps

15 “You should restrict the web-pages that can load inside your WebView with a whitelist.” - Facebook

16 “…only loading content from trusted sources into WebView will help protect users.” - Adrian Ludwig, Google

17 Goal: Find apps that load untrusted content in WebViews

18 1. Navigate to untrusted content

19 // In app code myWebView.loadUrl(“foo.com”);

20 // In app code myWebView.load(“foo.com”); click!

21 // In app code myWebView.load(“foo.com”); click!

22 // In app code myWebView.loadUrl(“foo.com”); click! // In JavaScript window.location = “foo.com”;

23 public boolean shouldOverrideUrlLoading( WebView view, String url){ // False -> Load URL in WebView // True -> Prevent the URL load }

24 public boolean shouldOverrideUrlLoading( WebView view, String url){ String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true; }

25 public boolean shouldOverrideUrlLoading( WebView view, String url){ String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true; }

26 public boolean shouldOverrideUrlLoading( WebView view, String url){ String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true; }

27 What does untrusted mean?

28 2. Load content with HTTP

29 3. Use HTTPS unsafely

30 public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){ // handler.cancel() -> cancel the load // handler.proceed() -> ignore the error }

31 public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){ handler.proceed(); }

32 public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){ handler.proceed(); }

33 Results

34 Vulnerability% Relevant% Vulnerable Unsafe Nav 15 34 HTTP 40 56 Unsafe HTTPS 27 29

35 Popularity

36 Outdated Apps

37 29% unsafe nav Libraries

38 29% unsafe nav Libraries 51% HTTP

39 29% unsafe nav Libraries 51% HTTP 53% unsafe HTTPS

40 Takeaways

41 Apps must not load untrusted content into WebViews

42 Takeaways Apps must not load untrusted content into WebViews Able to identify violating apps using static analysis

43 Takeaways Apps must not load untrusted content into WebViews Able to identify violating apps using static analysis Vulnerabilities are present in the entire app ecosystem

44 Questions?

Download ppt "A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna."

Similar presentations

PHP I.

PHP I.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
Mobile App Development Using: Presented by Tyler Richey Images from

Mobile App Development Using: Presented by Tyler Richey Images from
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
Cosc 4755 Blackberry and Android Embedding the browser in your app.

Cosc 4755 Blackberry and Android Embedding the browser in your app.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Mobile Malware John Mitchell CS 155 Spring 2015. Outline Mobile malware – Common cases involve command and control, information theft Identifying malware.

Mobile Malware John Mitchell CS 155 Spring Outline Mobile malware – Common cases involve command and control, information theft Identifying malware.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
CS378 - Mobile Computing Web - WebView and Web Services.

CS378 - Mobile Computing Web - WebView and Web Services.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
Building Native Mapping Apps with PhoneGap: Advanced Techniques

Building Native Mapping Apps with PhoneGap: Advanced Techniques
CS378 - Mobile Computing Web - WebView and Web Services.

CS378 - Mobile Computing Web - WebView and Web Services.
Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.
Chapter 8 Cookies And Security JavaScript, Third Edition.

Chapter 8 Cookies And Security JavaScript, Third Edition.
Asst Prof. Saeed Ahmadi Software Engineering CSF Kabul University 1.

Asst Prof. Saeed Ahmadi Software Engineering CSF Kabul University 1.

Similar presentations

Ads by Google