WebView objects allow Android apps to render web content in the app context. More specifically, in Android hybrid apps (i.e., those having both Android code and web code) the web content can interact with the underlying Android framework through Java interfaces and WebViewClient objects. Thus, while rendering web content a hybrid app can execute malicious Javascript code that can access the sensitive data on the device, bypassing the sandbox model usually adopted by standalone browsers. Researchers already analyzed the security issues of WebView objects, by focusing on Javascript interfaces. However, we believe that there are other aspects related to the rendering of web content in Android apps, such as WebViewClient objects, that could lead to security issues.

In this paper, we introduce three new types of vulnerabilities related to WebView, that expose new attack surfaces concerning the most well-known vulnerability related to JavaScript interfaces. To detect these new types of vulnerabilities, we designed $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec, a static analysis system that relies on a set of custom inference rules, heuristically formalized. By designing $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec to detect also the vulnerability already described in the state-of-art, we were able to compare $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec with BabelView on a set of 2000 applications. BabelView was found not able to detect our new three types of vulnerabilities and also less precise and efficient in detecting the already known vulnerability. In particular, over the 2000 analyzed apps, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec and BabelView identified 48 and 18 vulnerable apps, respectively. Among those, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec found 20 apps having a specific type of vulnerabilities and 36 apps having another type of vulnerabilities, while BabelView found 11 and 0 apps, respectively. In terms of efficiency, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec took 27.16 hours to analyze the whole set of 2000 applications against the 63.64 hours required by BabelView.

WebView 对象允许 Android 应用程序在应用程序上下文中呈现 Web 内容。更具体地说，在 Android 混合应用程序（即那些同时具有 Android 代码和 Web 代码的应用程序）中，Web 内容可以通过 Java 接口和 WebViewClient 对象与底层 Android 框架进行交互。因此，在呈现 Web 内容时，混合应用程序可以执行恶意 Javascript 代码，这些代码可以访问设备上的敏感数据，绕过独立浏览器通常采用的沙箱模型。研究人员已经通过关注 Javascript 接口分析了 WebView 对象的安全问题。但是，我们认为还有其他与 Android 应用程序中的 Web 内容呈现相关的方面（例如 WebViewClient 对象）可能会导致安全问题。

在本文中，我们介绍了三种与 WebView 相关的新型漏洞，它们暴露了与 JavaScript 接口相关的最著名漏洞的新攻击面。为了检测这些新型漏洞，我们设计了$\mathcal{宽}$乙$\mathcal{伏}\mathcal{秒}$ec，一种静态分析系统，它依赖于一组启发式形式化的自定义推理规则。通过设计$\mathcal{宽}$乙$\mathcal{伏}\mathcal{秒}$ec 还检测到已经在最先进技术中描述的漏洞，我们能够比较 $\mathcal{宽}$乙$\mathcal{伏}\mathcal{秒}$ec 与BabelView在一组 2000 个应用程序上。发现BabelView无法检测我们新的三种类型的漏洞，并且在检测已知漏洞方面的精确度和效率也较低。特别是，超过 2000 个分析的应用程序，$\mathcal{宽}$乙$\mathcal{伏}\mathcal{秒}$ec 和BabelView 分别确定了 48 个和 18 个易受攻击的应用程序。在这些，$\mathcal{宽}$乙$\mathcal{伏}\mathcal{秒}$ec 发现了 20 个具有特定类型漏洞的应用程序和 36 个具有另一种类型漏洞的应用程序，而BabelView 分别发现了 11 个和 0 个应用程序。在效率方面，$\mathcal{宽}$乙$\mathcal{伏}\mathcal{秒}$ec 用了 27.16 小时来分析整个 2000 个应用程序集，而BabelView需要 63.64 小时。