1 / 21

Attacks on WebView in the Android System

Tongbo Luo , Hao Hao , Wenliang Du , Yifei Wang, and Heng Yin Syracuse University ACSAC 2011. Attacks on WebView in the Android System. Agenda. Introduction WebView Threat Models Attacks from Web Pages Attack from Malicious Apps Case Studies Conclusion. Introduction.

alpha
Download Presentation

Attacks on WebView in the Android System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TongboLuo, HaoHao, Wenliang Du, Yifei Wang, and HengYin Syracuse University ACSAC2011 Attacks on WebView in the Android System

  2. Agenda • Introduction • WebView • Threat Models • Attacks from Web Pages • Attack from Malicious Apps • Case Studies • Conclusion

  3. Introduction • WebView - enabling smartphone and tablet (both in Android & iOS)apps to embed a simple but powerful browser inside them • Two Web's security infrastructure are weakened • Trusted Computing Base (TCB) at the client side • Sandbox protection implemented by browsers

  4. Introduction • Two objectives of Sandbox: • Same-Origin Policy(SOP) • Isolate web pages from the system and isolate the web pages of one origin from those of another

  5. WebView(1/4) • WebView is a subclass of View, and it is used to display web pages • It enables apps to interact with the web content through its APIs • From apps to web pages • From web pages to apps • three types of interactions • Event monitoring • Invoke Java from JavaScript • Invoke JavaScript from Java

  6. WebView(2/4) • Event monitoring

  7. WebView(3/4) • Invoke Java from JavaScript

  8. WebView(4/4) • Invoke JavaScript from Java

  9. Threat Models • Attacks from Malicious Web Pages

  10. Threat Models • Attacks from Malicious Apps

  11. Attacks from Web Pages(1/3) • Through holes on the sandbox • all pages loaded in the WebView can call the same interface • DroidGap • Still need permission

  12. Attacks from Web Pages(2/3) • Through Frame Confusion Public class CameraLauncher{ public void failPicture(String paramString){

  13. Attacks from Web Pages(3/3) • Through Frame Confusion

  14. Attack from Malicious Apps(1/3) • JavaScript Injection • Event Sniffing and Hijacking

  15. Attack from Malicious Apps(2/3) • JavaScript Injection • Android app can inject arbitrary JavaScript code into the pages loaded by the WebView component. • Extracting Information From WebView

  16. Attack from Malicious Apps(3/3) • Event Sniffing and Hijacking • WebViewexposes an umber of hooks to Android apps, allowing them to intercept events, and potentially change the consequences of events. • redirct URL

  17. Case Studies • The goal is not to look for malicious or vulnerable apps, but instead to study how Android apps use WebView. • Usage of WebView • Usage of the WebView Hooks • Usage of addJavascriptInterface • Dex2jar

  18. Conclusion • In our on-going work, we are developing solutions to secure WebView • The goal is to defend against the attacks on WebView by building desirable security features in WebView.

More Related