Vulnerabilities in Android webview objects: Still not the end!

Abstract

WebView objects allow Android apps to render web content in the app context. More specifically, in Android hybrid apps (i.e., those having both Android code and web code) the web content can interact with the underlying Android framework through Java interfaces and WebViewClient objects. Thus, while rendering web content a hybrid app can execute malicious Javascript code that can access the sensitive data on the device, bypassing the sandbox model usually adopted by standalone browsers. Researchers already analyzed the security issues of WebView objects, by focusing on Javascript interfaces. However, we believe that there are other aspects related to the rendering of web content in Android apps, such as WebViewClient objects, that could lead to security issues.

In this paper, we introduce three new types of vulnerabilities related to WebView, that expose new attack surfaces concerning the most well-known vulnerability related to JavaScript interfaces. To detect these new types of vulnerabilities, we designed $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec, a static analysis system that relies on a set of custom inference rules, heuristically formalized. By designing $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec to detect also the vulnerability already described in the state-of-art, we were able to compare $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec with BabelView on a set of 2000 applications. BabelView was found not able to detect our new three types of vulnerabilities and also less precise and efficient in detecting the already known vulnerability. In particular, over the 2000 analyzed apps, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec and BabelView identified 48 and 18 vulnerable apps, respectively. Among those, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec found 20 apps having a specific type of vulnerabilities and 36 apps having another type of vulnerabilities, while BabelView found 11 and 0 apps, respectively. In terms of efficiency, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec took 27.16 hours to analyze the whole set of 2000 applications against the 63.64 hours required by BabelView.

Introduction

The use of Android on mobile and tablet devices has grown over the past years. Android covers almost $75\%$ of the mobile market share worldwide, while mobile devices almost $53\%$ Statcounter (0000). The Android platform has recently introduced an approach to render web content in Android applications through the use of WebView components. WebView enables the displaying of web content and relies on WebKit for rendering pages. However, the wide use of WebView is mainly motivated by the introduction of hybrid applications, in which core source code is written in HTML and JavaScript through cross-platform tools, such as Apache Cordova Apache (0000). Currently, one-third of mobile developers use cross-platform tools for writing their app, while the rest of the developers use native tools hyb (2020).

The design model of WebView objects highly differs from the one adopted in standalone browsers. The latter adopts a sandbox mechanism that introduces an access control approach to prevent untrusted Javascript code from accessing sensitive data on the mobile device Ferri et al. (2010). Thus, in a standalone browser not only web pages are isolated from each other, but they are also isolated from the system. On the contrary, WebView objects use binding interfaces (through the addJavascriptInterface API) to allow Javascript code to access private data and system resources on the mobile device. Enabling the interaction between Javascript code and the underlying system breaks the security model used in standalone browsers. The malicious JavaScript can be part of any web page loaded in the WebView. Advertisement libraries used in the WebView may also allow malicious JavaScript to access private data. Overall, current WebView technologies are not robust enough to prevent vulnerabilities, such as Cross-Site Request Forgery, Cross-site scripting, and JSON hijacking Li et al. (2017); Luo, Hao, Du, Wang, Yin, 2011, Luo, Jin, Ananthanarayanan, Du, 2012; Mutchler et al. (2015). Consequently, attackers can manipulate WebViewClient listeners and access WebView interfaces through the injection of malicious JavaScript Fahl et al. (2012); Mutchler et al. (2015).

Previous works Rizzo et al. (2018); Yang et al. (2017) addressed the security issues raised by WebView interfaces by mainly focusing on the vulnerabilities involved in the usage of JavaScript interfaces. However, no previous work considered the security issues raised by WebViewClients.

In this paper, we identify three new types of WebView vulnerabilities, which are somehow related to the one already addressed by the state-of-art, but that introduce new attack surfaces. We heuristically designed seven rules that allow the detection of all such vulnerabilities and developed the $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec system: a static analysis tool that relies on our seven inference rules to detect WebView vulnerabilities. We evaluated precision, efficiency, and effectiveness of $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec over a set of 2000 applications and compared the results with BabelView, a state-of-the-art technique Rizzo et al. (2018). With our study, we prove that the current state-of-art works did not comprehensively address WebView technologies, thus failing in detecting our newly identified vulnerabilities. Moreover, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec was found to overcome both in terms of precision and efficiency.

Contributions The contributions of this paper are as follows:

• We identified three new types of vulnerabilities related to the Android WebView design model.

• We heuristically designed seven inference rules to detect the existing and the newly found vulnerabilities.

• We designed and developed $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec, a system that implements our rules to detect the above-mentioned vulnerabilities.

• We experimentally compared $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec against BabelView, the state-of-the-art tool for WebView vulnerabilities detection. Over the 2000 analyzed apps, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec and BabelView identified 48 and 18 vulnerable apps, respectively. Among those, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec found 20 apps having a specific type of vulnerabilities and 36 apps having another type of vulnerabilities, while BabelView found 11 and 0 apps, respectively. In terms of efficiency, $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec took 27.16 hours to analyze the whole set of 2000 applications against the 63.64 hours required by BabelView.

Organization The rest of the paper is organized as follows. Section 2 presents the necessary background, while in Section 3, we illustrate previous works addressing vulnerabilities in Android WebView objects. Section 4 introduces the threat model we consider in this paper, while Section 5 presents the WebView vulnerabilities we studied. The system design and implementation of our solution (i.e., $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec) are presented in Section 6 and Section 7, respectively. Section 8 presents the results we achieved by applying both $\mathcal{W}$eb$\mathcal{V}\mathcal{S}$ec to a datset of 2000 applications. We conclude the paper in Section 9.