static analysis tool that can identify whether an app is vulnerable to
WebView attacks [8]. Mutchler et al. present a large-scale analysis
on mobile web applications, and present the trend of vulnerabilities
in these applications. None of these work implement any defense
mechanism targeting WebViews [1]. In [27], the authors present
an access control mechanism for WebViews. Their approach uses
static analysis to identify the use of security-sensitive APIs in the
exposed Java class, and notifies the user if any such use is found.
The user is then prompted to allow or completely block the binding
of the Java object. The main drawback of this approach is that
after the user allows the binding, they do not provide any origin-
based access control, so all the origins still have the same access
rights. Additionally, their focus is only on the permission-protected
resources.
WebView-related attacks on hybrid frameworks and bringing
origin-based access control.
Georgiev et al. discuss the nonex-
istence of origin-based access control in hybrid frameworks and
propose a capability-based approach (NoFrak), where app developer
whitelists origins that are allowed to access system resources [2].
The drawback of their approach is that it works only for the Phone-
gap framework even though the aforementioned problem is not even
specific to hybrid frameworks. Additionally, the solution is not fine-
grained since a whitelisted origin get access to all resources of the
app. In [3], the authors propose fine-grained access control system
for hybrid apps, which allows developers to add origin permissions
to the manifest file and associate iframes with permissions, and en-
forces the developer rules in the operating system. One drawback
of this solution is that the web developer has to be compliant and
include the permission tag along with the desired permissions in
the iframes; otherwise, the frame just governs all the permissions
the main page is given to. Furthermore, even though this solution
provides a more fine-grained access control than NoFrak, it focuses
on only protecting permission-protected resources, and hence is not
enough to fully protect the app and its user as we have previously
shown. Moreover, neither of these solutions give developers the
flexibility to consult with the user on how to handle requests. In
[28], the authors present code injection attacks on hybrid apps. Even
though they mainly target hybrid frameworks, the attack shown can
be applied to all mobile web applications in general.
Fixing Web-based system apps.
Georgiev et al. show that Web-
based system applications also suffer from similar problems, and
introduce POWERGATE, which provides access control on native
objects in the system by enforcing the policy rules created by the
developer [29]. Here, their focus is on native-access APIs provided
to the application by the platform, and not on the resources exposed
by the use of JavaScript bridges.
7. CONCLUSION AND FUTURE WORK
In this work, we investigate the understudied JavaScript bridge
vulnerabilities for native mobile web applications that use embed-
ded web browsers (WebView) to show content. We show cases
where highly-downloaded vulnerable Android apps inadvertently
expose their internal resources to untrusted web code. By investi-
gating the use of WebView APIs by app developers, we identify
the need for a unified and fine-grained access control mechanism
on WebView. Hence, we propose Draco, a unified access control
framework that allows developers to declare access rules for the
exposed resources with fine granularity and enforces these access
policies at runtime. Draco’s declarative policy language can be used
by app developers to create policy rules that specify their trusted or
semi-trusted origins with capabilities defining their access coverage
on the three access channels (JavaScript inteface, event handlers,
HTML5). Draco Runtime System then enforces these policy rules
in an effective and efficient manner. This approach also saves de-
velopers from implementing burdensome programming measures
(i.e., navigation control, multiple WebViews with different levels of
exposure) in an attempt to prevent exposed resources from web do-
mains. Draco is easily deployable since it does not require Android
OS modifications, but only enhancements in the Android System
WebView app. In future work, we plan to investiage the use of server
credentials for authorization, and explore efficient infrastructures
for credential management, credential distribution and revocation.
Acknowledgments.
This work was supported in part by NSF CNS
12-23967, 14-08944, and 15-13939. The views expressed are those
of the authors only.
8. REFERENCES
[1] P. Mutchler, A. Doupé, Kruegel C. Mitchell, J., and G. Vigna. A
large-scale study of mobile web app security. In MoST, 2015.
[2] M. Georgiev, S. Jana, and V. Shmatikov. Breaking and fixing
origin-based access control in hybrid web/mobile application
frameworks. In NDSS, 2014.
[3] X. Jin, L. Wang, T. Luo, and W. Du. Fine-grained access control for
html5-based mobile applications in android. In Information Security.
2015.
[4] Webkit: Open source web browser engine. https://webkit.org/.
[5] The chromium project. https://chromium.org/.
[6] Android open source project. https://source.android.com/.
[7] T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin. Attacks on webview in
the android system. In ACSAC. ACM, 2011.
[8] E. Chin and D. Wagner. Bifocals: Analyzing webview vulnerabilities
in android applications. In Information Security Applications. 2013.
[9] M. Neugschwandtner, M. Lindorfer, and C. Platzer. A view to a kill:
Webview exploitation. In LEET, 2013.
[10]
D. Thomas, A. Beresford, T.s Coudray, T. Sutcliffe, and A. Taylor. The
lifetime of android api vulnerabilities: case study on the
javascript-to-java interface. In Security Protocols XXIII. 2015.
[11] Dex2jar. https://github.com/pxb1988/dex2jar.
[12] Jd-gui. http://jd.benow.ca/.
[13] Apktool decompiler. http://ibotpeaches.github.io/Apktool/.
[14]
D. McCracken and E. Reilly. Backus-naur form (bnf). In Encyclopedia
of Computer Science.
[15] Eddystone ble beacons. http://bit.ly/1WMaylQ.
[16] Bluetooth low energy. http://bit.ly/1Rw9grs.
[17] 15 companies using beacon technology. http://bit.ly/16qwASy.
[18] The apktool’s failed app list. http://bit.ly/2aUyE9T.
[19] K. Au, Y. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android
permission specification. In CCS, 2012.
[20] Dexdump. http://bit.ly/1NBg7QM.
[21] Cold start times: Analysis of top apps. http://bit.ly/1TFTtb0.
[22] Key takeaways for mobile apps. http://pewrsr.ch/1M4LqyY.
[23]
S. Shekhar, M. Dietz, and D. Wallach. Adsplit: Separating smartphone
advertising from applications. In USENIX, 2012.
[24] R. Wang and X.and Chen S. Xing, L.and Wang. Unauthorized origin
crossing on mobile platforms: Threats and mitigation. In CCS, 2013.
[25] J. Seo, D Kim, D Cho, T. Kim, and I. Shin. Flexdroid: Enforcing
in-app privilege separation in android. 2016.
[26] S. Zhu, L. Lu, and K. Singh. Case: Comprehensive application
security enforcement on cots mobile devices. In MobiSys, 2016.
[27] Y. Jing and T. Yamauchi. Access control to prevent malicious
javascript code exploiting vulnerabilities of webview in android os.
IEICE TRANSACTIONS on Information and Systems, 2015.
[28] X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G. Peri. Code injection
attacks on html5-based mobile apps: Characterization, detection and
mitigation. In CCS, 2014.
[29] M. Georgiev, S. Jana, and V. Shmatikov. Rethinking security of
web-based system applications. In WWW, 2015.