Yuta Imamura
ABSTRACT
In addition to conventional web browsers, WebView is used to display web content on Android. WebView is a component that enables the display of web content in mobile applications, and is extensively used. As WebView displays web content without having to redirect the user to web browsers, there is the possibility that unauthorized web access may be performed secretly via WebView, and information in Android may be stolen or tampered with. Therefore, it is necessary to monitor and analyze web access via WebView, particularly because attacks exploiting WebView have been reported. However, there is no mechanism for monitoring web access via WebView. In this work, the goals are to monitor web access via WebView and to analyze mobile applications using WebView. To achieve these goals, we propose a web access monitoring mechanism for Android WebView. In this paper, the design and implementation of a mechanism that does not require any modifications to the Android Framework and Linux kernel are presented for the Chromium Android System WebView app. In addition, this paper presents evaluation results for the proposed mechanism.
- T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin, Attacks on WebView in the Android system, In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, pp. 343--352, 2011. Google Scholar
Digital Library
- P. Mutchler, A. Doupé, J. Mitchell, C. Kruegel, and G. Vigna, A Large-Scale Study of Mobile Web App Security, In Proceedings of the Mobile Security Technologies Workshop (MoST), 2015.Google Scholar
- WebKit, Open Source Browser Engine. https://webkit.org/.Google Scholar
- The Chromium project, https://www.chromium.org/.Google Scholar
- The Chromium project, NetworkStack, https://www.chromium.org/developers/design-documents/network-stack/.Google Scholar
- G. S. Tuncay, S. Demetriou, and C. A. Gunter, Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android, In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, pp. 104--115, 2016. Google ScholarDigital Library
- M. Neugschwandtner, M. Lindorfer, and C. Platzer, A View to a Kill: WebView Exploitation, In Proceeding of the 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2013.Google Scholar
- T. Luo, W. Du, and Y. Wang, ATTACKS AND COUNTERMEASURES FOR WEBVIEW ON MOBILE SYSTEMS, Ph.D. Dissertation. Syracuse University, 2014.Google Scholar
- A. B. Bhavani, Cross-site Scripting Attacks on Android WebView, arXiv preprint arXiv:1304.7451, 2013.Google Scholar
- W. Bao, W. Yao, M. Zong, and D. Wang, Cross-site Scripting Attacks on Android Hybrid Applications, In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy. ACM, pp. 56--61, 2017. Google ScholarDigital Library
- S. Son, D. Kim, and V. Shmatikov, What Mobile Ads Know About Mobile Users, In Proceedings of the Network and Distributed System Security Symposium (NDSS 2016), 1--15, 2016.Google ScholarCross Ref
- N. Kudo, T. Yamauchi, and T. H. Austin, Access Control for Plugins in Cordova-based Hybrid Applications, In the 31st IEEE International Conference on Advanced Information Networking and Applications (AINA-2017), pp. 1063--1069, 2017.Google ScholarCross Ref
- J. Yu and T. Yamauchi, Access Control to Prevent Malicious JavaScript Code Exploiting Vulnerabilities of WebView in Android OS, IEICE Transactions on Information and Systems, vol. E98-D, no. 4, pp. 807--811, 2015.Google Scholar
Index Terms
- Web access monitoring mechanism for Android webview
Recommendations
Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityIn-app embedded browsers are commonly used by app developers to display web content without having to redirect the user to heavy-weight web browsers. Just like the conventional web browsers, embedded browsers can allow the execution of web code. In ...
Web access monitoring mechanism via Android WebView for threat analysis
AbstractMany Android apps employ WebView, a component that enables the display of web content in the apps without redirecting users to web browser apps. However, WebView might also be used for cyberattacks. Moreover, to the best of our knowledge, although ...
(Short Paper) Method for Preventing Suspicious Web Access in Android WebView
Advances in Information and Computer SecurityAbstractWebView is commonly used by applications on the Android OS. Given that WebView is used as a browsing component on applications, they can be attacked via the web. Existing security mechanisms mainly focus on web browsers; hence, securing WebView is ...
Comments