TC 11 Briefing PapersVulnerabilities in Android webview objects: Still not the end!
Introduction
The use of Android on mobile and tablet devices has grown over the past years. Android covers almost of the mobile market share worldwide, while mobile devices almost Statcounter (0000). The Android platform has recently introduced an approach to render web content in Android applications through the use of WebView components. WebView enables the displaying of web content and relies on WebKit for rendering pages. However, the wide use of WebView is mainly motivated by the introduction of hybrid applications, in which core source code is written in HTML and JavaScript through cross-platform tools, such as Apache Cordova Apache (0000). Currently, one-third of mobile developers use cross-platform tools for writing their app, while the rest of the developers use native tools hyb (2020).
The design model of WebView objects highly differs from the one adopted in standalone browsers. The latter adopts a sandbox mechanism that introduces an access control approach to prevent untrusted Javascript code from accessing sensitive data on the mobile device Ferri et al. (2010). Thus, in a standalone browser not only web pages are isolated from each other, but they are also isolated from the system. On the contrary, WebView objects use binding interfaces (through the addJavascriptInterface API) to allow Javascript code to access private data and system resources on the mobile device. Enabling the interaction between Javascript code and the underlying system breaks the security model used in standalone browsers. The malicious JavaScript can be part of any web page loaded in the WebView. Advertisement libraries used in the WebView may also allow malicious JavaScript to access private data. Overall, current WebView technologies are not robust enough to prevent vulnerabilities, such as Cross-Site Request Forgery, Cross-site scripting, and JSON hijacking Li et al. (2017); Luo, Hao, Du, Wang, Yin, 2011, Luo, Jin, Ananthanarayanan, Du, 2012; Mutchler et al. (2015). Consequently, attackers can manipulate WebViewClient listeners and access WebView interfaces through the injection of malicious JavaScript Fahl et al. (2012); Mutchler et al. (2015).
Previous works Rizzo et al. (2018); Yang et al. (2017) addressed the security issues raised by WebView interfaces by mainly focusing on the vulnerabilities involved in the usage of JavaScript interfaces. However, no previous work considered the security issues raised by WebViewClients.
In this paper, we identify three new types of WebView vulnerabilities, which are somehow related to the one already addressed by the state-of-art, but that introduce new attack surfaces. We heuristically designed seven rules that allow the detection of all such vulnerabilities and developed the ebec system: a static analysis tool that relies on our seven inference rules to detect WebView vulnerabilities. We evaluated precision, efficiency, and effectiveness of ebec over a set of 2000 applications and compared the results with BabelView, a state-of-the-art technique Rizzo et al. (2018). With our study, we prove that the current state-of-art works did not comprehensively address WebView technologies, thus failing in detecting our newly identified vulnerabilities. Moreover, ebec was found to overcome both in terms of precision and efficiency.
Contributions The contributions of this paper are as follows:
- 1.
We identified three new types of vulnerabilities related to the Android WebView design model.
- 2.
We heuristically designed seven inference rules to detect the existing and the newly found vulnerabilities.
- 3.
We designed and developed ebec, a system that implements our rules to detect the above-mentioned vulnerabilities.
- 4.
We experimentally compared ebec against BabelView, the state-of-the-art tool for WebView vulnerabilities detection. Over the 2000 analyzed apps, ebec and BabelView identified 48 and 18 vulnerable apps, respectively. Among those, ebec found 20 apps having a specific type of vulnerabilities and 36 apps having another type of vulnerabilities, while BabelView found 11 and 0 apps, respectively. In terms of efficiency, ebec took 27.16 hours to analyze the whole set of 2000 applications against the 63.64 hours required by BabelView.
Organization The rest of the paper is organized as follows. Section 2 presents the necessary background, while in Section 3, we illustrate previous works addressing vulnerabilities in Android WebView objects. Section 4 introduces the threat model we consider in this paper, while Section 5 presents the WebView vulnerabilities we studied. The system design and implementation of our solution (i.e., ebec) are presented in Section 6 and Section 7, respectively. Section 8 presents the results we achieved by applying both ebec to a datset of 2000 applications. We conclude the paper in Section 9.
Section snippets
Background
A WebView Developers (0000) is an Android system component enabling Android applications to render web pages and interact with web servers. It is possible to write and show HTML code inside an app via WebView. Listing 1 presents an example that embeds a browser in an Android app to display Google search engine. This is done in three steps: defining a WebView object (line 1), enabling the execution of JavaScript within the object (line 2), and using the API loadUrl to load a web page (line 3).
Related work
One of the Android security directions that have been receiving intense research efforts is WebView vulnerabilities Luo et al. (2011). The main cause of existing vulnerabilities over the JavaScript Bridge is the fact that traditional security models of web context Georgiev et al. (2014) conflict with the lack of privilege isolation Jin et al. (2015). This conflict was partially treated by NoFrak Georgiev et al. (2014) that extended SOP to cover local resources. The extension idea was employed
Threat model
The threat model studied in this paper focuses on the ways in which Android applications may be attacked by malicious web pages. The applications are assumed to be benign ones that are serving web applications. Our model considers first-party applications (owned by the served web applications) and third-party applications (that are not owned by the served web application injecting malicious JavaScript code). An overview of our attack scenario is presented in Fig. 1. The scenario assumes that
New webview vulnerabilities
This paper considers four types of vulnerabilities that attackers can utilize to launch WebView attacks through injected JavaScript code and WVC-listeners manipulation. Here, we first formally present the four types of vulnerabilities and then provide an illustrative example, taken from a testbed Android application we developed.
Definition 1 and Definition 2 introduce execution paths that play a vital role in vulnerability formalization. Definition 1 An interface path is an execution path that is embedded in
Design of our tool: ebec
This section presents the design of ebec, our proposed system for detecting WebView vulnerabilities presented in Section 5. ebec relies on two heuristically designed sets of inference rules: the first set abstracts the Dalvik byte code of Android applications, while the second 1 aims to detect the four vulnerabilities addressed in this paper. Table 2 presents semantics of notation used in this section.
Fig. 2 illustrates the general workflow of ebec, which steps are described below.
Implementation
This section illustrates the implementation details of ebec which design has been introduced in Section 6. ebec is implemented on top of Androguard Desnos (2011), a tool for reverse engineering Android applications.
Evaluation
This section presents the results of our experiments conducted for evaluating ebec. We got the dataset from a reputable benchmark, namely AndroZoo Allix et al. (2016). All experiments were done on a Dell (Vostro) device with processor: Intel(R) Core(TM) i7-3612 QM CPU @ 2.10 GHz, 8.00 GB RAM, and Windows 10 (64-bits) operating system. All implementations were written in Python on top of Androguard Desnos (2011), the tool we adopted for reverse engineering Android applications. We make all
Conclusion and future work
Vulnerabilities of WebView objects have been widely studied by previous works, which identified the security issues associated with the JavaScript bridge. In particular, enabling the JavaScript code running in a remote webserver to access smartphone local sensitive data has paved the way for several attacks. Despite the solutions proposed by previous works to defend and detect such attacks, there are still new vulnerabilities affecting this feature of the Android ecosystem, which also impacts a
CRediT authorship contribution statement
Mohamed A. El-Zawawy: Writing – original draft, Writing – review & editing. Eleonora Losiouk: Writing – original draft, Writing – review & editing. Mauro Conti: Writing – original draft, Writing – review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Mohamed A. El-ZawawyMohamed A. El-Zawawy received a Ph.D. in Computer Science from the University of Birmingham in 2007, an M.Sc. in Computational Sciences in 2002 from Cairo University and a BSc. in Computer Science in 1999 from Cairo University. Dr.El-Zawawy is an associate professor of Computer Science at Faculty of Science, Cairo University Since 2014. During the period 2007- 2014 Dr El-Zawawy held the position of an Assistant Professor of Computer Science at Faculty of Science, Cairo
References (32)
- et al.
Androzoo: Collecting millions of android apps for the research community
2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR)
(2016) - Apache. Apache Cordova. https://cordova.apache.org/, Last access in...
- et al.
Bifocals: Analyzing webview vulnerabilities in android applications
International Workshop on Information Security Applications
(2013) - Desnos, A., 2011. Android–Androguard: a full python tool to play with Android files. Available from:...
- Developers, G., Building web apps in WebView. https://developer.android.com/guide/webapps/webview, Last access in...
- Developers, G., WebView. https://developer.android.com/reference/android/webkit/WebView, Last access in...
- et al.
A study of android application security.
USENIX security symposium
(2011) - et al.
Why eve and mallory love android: An analysis of android ssl (in) security
Proceedings of the 2012 ACM conference on Computer and communications security
(2012) - Ferri, L., Pichetti, L., Secchi, M., Secomandi, A., 2010. Sandbox web navigation. US Patent App....
- et al.
Breaking and fixing origin-based access control in hybrid web/mobile application frameworks
NDSS symposium
(2014)
Web-to-application injection attacks on android: Characterization and detection
European Symposium on Research in Computer Security
A tale of two cities: How webview induces bugs to android applications
Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering
Webview addjavascriptinterface remote code execution
MWR InfoSecurity, Sept
Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation
Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
Fine-grained Access Control for Html5-Based Mobile Applications in Android
Information Security
Cited by (3)
ωTest: WebView-Oriented Testing for Android Applications
2023, ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and AnalysisAndroid Source Code Vulnerability Detection: A Systematic Literature Review
2023, ACM Computing SurveysInfluencing User's Behavior concerning Android Privacy Policy: An Overview
2021, Mobile Information Systems
Mohamed A. El-ZawawyMohamed A. El-Zawawy received a Ph.D. in Computer Science from the University of Birmingham in 2007, an M.Sc. in Computational Sciences in 2002 from Cairo University and a BSc. in Computer Science in 1999 from Cairo University. Dr.El-Zawawy is an associate professor of Computer Science at Faculty of Science, Cairo University Since 2014. During the period 2007- 2014 Dr El-Zawawy held the position of an Assistant Professor of Computer Science at Faculty of Science, Cairo University. During the year 2009, he held the position of an extra-ordinary senior research at the Institute of Cybernetics, Tallinn University of Technology, Estonia, and worked as a teaching assistant at Cairo University from 1999 to 2003 and later at Birmingham University from 2003 to 2007. Dr. El-Zawawy is interested in Android security and privacy, IoT security.
Eleonora LosioukEleonora Losiouk is a Postdoc Fellow working in the SPRITZ Group of the University of Padova, Italy. In 2018, she obtained her Ph.D. in Bioengineering and Bioinformatics from the University of Pavia, Italy. She has been a Visiting Fellow at the Ecole Polytechnique Federale de Lausanne in 2017. Her main research interests regard the security and privacy evaluation of the Android Operating System and the Information-Centric Networking. During her Ph.D. she published several papers in peer-reviewed journals and IEEE conferences.
Mauro ContiMauro Conti is Full Professor at the University of Padua, Italy, and Affiliate Professor at the University of Washington, Seattle, USA. He obtained his Ph.D. from Sapienza University of Rome, Italy, in 2009. After his Ph.D., he was a Postdoc Researcher at Vrije Universiteit Amsterdam, The Netherlands. In 2011 he joined as Assistant Professor the University of Padua, where he became Associate Professor in 2015, and Full Professor in 2018. He has been Visiting Researcher at GMU (2008, 2016), UCLA (2010), UCI (2012, 2013, 2014, 2017), TU Darmstadt (2013), UF (2015), and FIU (2015, 2016, 2018). He has been awarded with a Marie Curie Fellowship (2012) by the European Commission, and with a Fellowship by the German DAAD (2013). His research is also funded by companies, including Cisco, Intel, and Huawei. His main research interest is in the area of security and privacy. In this area, he published more than 250 papers in topmost international peer-reviewed journals and conference. He is Area Editor-in-Chief for IEEE Communications Surveys & Tutorials, and Associate Editor for several journals, including IEEE Communications Surveys & Tutorials, IEEE Transactions on Information Forensics and Security, IEEE Transactions on Dependable and Secure Computing, and IEEE Transactions on Network and Service Management. He was Program Chair for TRUST 2015, ICISS 2016, WiSec 2017, and General Chair for SecureComm 2012 and ACM SACMAT 2013. He is Senior Member of the IEEE. s Full Professor at the University of Padua, Italy, and Affiliate Professor at the University of Washington, Seattle, USA. He obtained his Ph.D. from Sapienza University of Rome, Italy, in 2009. After his Ph.D., he was a Postdoc Researcher at Vrije Universiteit Amsterdam, The Netherlands. In 2011 he joined as Assistant Professor the University of Padua, where he became Associate Professor in 2015, and Full Professor in 2018. He has been Visiting Researcher at GMU (2008, 2016), UCLA (2010), UCI (2012, 2013, 2014, 2017), TU Darmstadt (2013), UF (2015), and FIU (2015, 2016, 2018). He has been awarded with a Marie Curie Fellowship (2012) by the European Commission, and with a Fellowship by the German DAAD (2013). His research is also funded bycompanies, including Cisco, Intel, and Huawei. His main research interest is in the area of security and privacy. In this area, he published more than 250 papers in topmost international peer-reviewed journals and conference. He is Area Editor-in-Chief for IEEE Communications Surveys & Tutorials, and Associate Editor for several journals, including IEEE Communications Surveys & Tutorials, IEEE Transactions on Information Forensics and Security, IEEE Transactions on Dependable and Secure Computing, and IEEE Transactions on Network and Service Management. He was Program Chair for TRUST 2015, ICISS 2016, WiSec 2017, and General Chair for SecureComm 2012 and ACM SACMAT 2013. He is Senior Member of the IEEE.