Bifocals: Analyzing WebView Vulnerabilities in Android Applications

Autor:	Erika Chin, David Wagner
Rok vydání:	2014
Předmět:	File system Computer science Scripting language Web page Web content Static analysis Android (operating system) Computer security computer.software_genre JavaScript Security policy computer computer.programming_language
Zdroj:	Information Security Applications ISBN: 9783319051482 WISA
DOI:	10.1007/978-3-319-05149-9_9
Popis:	WebViews allow Android developers to embed a webpage within an application, seamlessly integrating native application code with HTML and JavaScript web content. While this rich interaction simplifies developer support for multiple platforms, it exposes applications to attack. In this paper, we explore two WebView vulnerabilities: excess authorization, where malicious JavaScript can invoke Android application code, and file-based cross-zone scripting, which exposes a device's file system to an attacker. We build a tool, Bifocals, to detect these vulnerabilities and characterize the prevalence of vulnerable code. We found $$67$$ 67 applications with WebView-related vulnerabilities ( $$11\,\%$$ 11 % of applications containing WebViews). Based on our findings, we suggest a modification to WebView security policies that would protect over $$60\,\%$$ 60 % of the vulnerable applications with little burden on developers.
Databáze:	OpenAIRE
Externí odkaz:	https://explore.openaire.eu/search/publication?articleId=doi_________::0056cb4de2af7ea33848c3b584697bac https://doi.org/10.1007/978-3-319-05149-9_9 Zobrazit plný text záznamu