Attacks on WebView in the Android System
description
Transcript of Attacks on WebView in the Android System
12011/12/20 YLJ@adlab
ATTACKS ON WEBVIEW IN THE ANDROID SYSTEM
Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng YinSyracuse University
ACSAC 2011
2
Agenda
Introduction WebView Threat Models Attacks from Web Pages Attack from Malicious Apps Case Studies Conclusion
2011/12/20 YLJ@adlab
3
Introduction WebView - enabling smartphone and
tablet (both in Android & iOS) apps to embed a simple but powerful browser inside them
Two Web's security infrastructure are weakened Trusted Computing Base (TCB) at the client
side Sandbox protection implemented by
browsers 2011/12/20 YLJ@adlab
4
Introduction
Two objectives of Sandbox: Same-Origin Policy(SOP) Isolate web pages from the system and
isolate the web pages of one origin from those of another
2011/12/20 YLJ@adlab
5
WebView(1/4)
WebView is a subclass of View, and it is used to display web pages
It enables apps to interact with the web content through its APIs From apps to web pages From web pages to apps
three types of interactions Event monitoring Invoke Java from JavaScript Invoke JavaScript from Java
2011/12/20 YLJ@adlab
6
WebView(2/4)
Event monitoring
2011/12/20 YLJ@adlab
7
WebView(3/4)
Invoke Java from JavaScript
2011/12/20 YLJ@adlab
8
WebView(4/4)
Invoke JavaScript from Java
2011/12/20 YLJ@adlab
9
Threat Models
Attacks from Malicious Web Pages
2011/12/20 YLJ@adlab
10
Threat Models
Attacks from Malicious Apps
2011/12/20 YLJ@adlab
11
Attacks from Web Pages(1/3) Through holes on the sandbox
all pages loaded in the WebView can call the same interface
DroidGap Still need permission
2011/12/20 YLJ@adlab
12
Attacks from Web Pages(2/3) Through Frame Confusion
2011/12/20 YLJ@adlab
13
Attacks from Web Pages(3/3) Through Frame Confusion
2011/12/20 YLJ@adlab
14
Attack from Malicious Apps(1/3) JavaScript Injection Event Sniffing and Hijacking
2011/12/20 YLJ@adlab
15
Attack from Malicious Apps(2/3)
JavaScript Injection Android app can inject arbitrary
JavaScript code into the pages loaded by the WebView component.
Extracting Information From WebView
2011/12/20 YLJ@adlab
16
Attack from Malicious Apps(3/3)
Event Sniffing and Hijacking WebView exposes an umber of hooks to
Android apps, allowing them to intercept events, and potentially change the consequences of events.
redirct URL
2011/12/20 YLJ@adlab
17
Case Studies
The goal is not to look for malicious or vulnerable apps, but instead to study how Android apps use WebView. Usage of WebView Usage of the WebView Hooks Usage of addJavascriptInterface
Dex2jar
2011/12/20 YLJ@adlab
18
Conclusion
In our on-going work, we are developing solutions to secure WebView
The goal is to defend against the attacks on WebView by building desirable security features in WebView.
2011/12/20 YLJ@adlab
192011/12/20 YLJ@adlab
202011/12/20 YLJ@adlab
212011/12/20 YLJ@adlab