Attacks on WebView in the Android System

Report
ATTACKS ON WEBVIEW IN
THE ANDROID SYSTEM
Tongbo Luo, Hao Hao, Wenliang Du,
Yifei Wang, and HengYin
Syracuse University
ACSAC 2011
2011/12/20 [email protected]
1
Agenda
 Introduction
 WebView
 Threat Models
 Attacks from Web Pages
 Attack from Malicious Apps
 Case Studies
 Conclusion
2011/12/20 [email protected]
2
Introduction
 WebView - enabling smartphone and tablet
(both in Android & iOS) apps to embed a
simple but powerful browser inside them
 Two Web's security infrastructure are
weakened
 Trusted Computing Base (TCB) at the client side
 Sandbox protection implemented by browsers
2011/12/20 [email protected]
3
Introduction
 Two objectives of Sandbox:
 Same-Origin Policy(SOP)
 Isolate web pages from the system and isolate the
web pages of one origin from those of another
2011/12/20 [email protected]
4
WebView(1/4)
 WebView is a subclass of View, and it is used
to display web pages
 It enables apps to interact with the web
content through its APIs
 From apps to web pages
 From web pages to apps
 three types of interactions
 Event monitoring
 Invoke Java from JavaScript
 Invoke JavaScript from Java
2011/12/20 [email protected]
5
WebView(2/4)
 Event monitoring
2011/12/20 [email protected]
6
WebView(3/4)
 Invoke Java from JavaScript
2011/12/20 [email protected]
7
WebView(4/4)
 Invoke JavaScript from Java
2011/12/20 [email protected]
8
Threat Models
 Attacks from Malicious Web Pages
2011/12/20 [email protected]
9
Threat Models
 Attacks from Malicious Apps
2011/12/20 [email protected]
10
Attacks from Web Pages(1/3)
 Through holes on the sandbox
 all pages loaded in the WebView can call the same
interface
 DroidGap
 Still need permission
2011/12/20 [email protected]
11
Attacks from Web Pages(2/3)
 Through Frame Confusion
2011/12/20 [email protected]
12
Attacks from Web Pages(3/3)
 Through Frame Confusion
2011/12/20 [email protected]
13
Attack from Malicious Apps(1/3)
 JavaScript Injection
 Event Sniffing and Hijacking
2011/12/20 [email protected]
14
Attack from Malicious Apps(2/3)
 JavaScript Injection
 Android app can inject arbitrary JavaScript code
into the pages loaded by the WebView component.
 Extracting Information From WebView
2011/12/20 [email protected]
15
Attack from Malicious Apps(3/3)
 Event Sniffing and Hijacking
 WebView exposes an umber of hooks to Android
apps, allowing them to intercept events, and
potentially change the consequences of events.
 redirct URL
2011/12/20 [email protected]
16
Case Studies
 The goal is not to look for malicious or
vulnerable apps, but instead to study how
Android apps use WebView.
 Usage of WebView
 Usage of the WebView Hooks
 Usage of addJavascriptInterface
 Dex2jar
2011/12/20 [email protected]
17
Conclusion
 In our on-going work, we are developing
solutions to secure WebView
 The goal is to defend against the attacks on
WebView by building desirable security
features in WebView.
2011/12/20 [email protected]
18
2011/12/20 [email protected]
19
2011/12/20 [email protected]
20
2011/12/20 [email protected]
21

similar documents