12011/12/20 YLJ@adlab

ATTACKS ON WEBVIEW IN THE ANDROID SYSTEM

Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng YinSyracuse University

ACSAC 2011

2

Agenda

Introduction WebView Threat Models Attacks from Web Pages Attack from Malicious Apps Case Studies Conclusion

2011/12/20 YLJ@adlab

3

Introduction WebView - enabling smartphone and

tablet (both in Android & iOS) apps to embed a simple but powerful browser inside them

Two Web's security infrastructure are weakened Trusted Computing Base (TCB) at the client

side Sandbox protection implemented by

browsers 2011/12/20 YLJ@adlab

4

Introduction

Two objectives of Sandbox: Same-Origin Policy(SOP) Isolate web pages from the system and

isolate the web pages of one origin from those of another

2011/12/20 YLJ@adlab

5

WebView(1/4)

WebView is a subclass of View, and it is used to display web pages

It enables apps to interact with the web content through its APIs From apps to web pages From web pages to apps

three types of interactions Event monitoring Invoke Java from JavaScript Invoke JavaScript from Java

2011/12/20 YLJ@adlab

6

WebView(2/4)

Event monitoring

2011/12/20 YLJ@adlab

7

WebView(3/4)

Invoke Java from JavaScript

2011/12/20 YLJ@adlab

8

WebView(4/4)

Invoke JavaScript from Java

2011/12/20 YLJ@adlab

9

Threat Models

Attacks from Malicious Web Pages

2011/12/20 YLJ@adlab

10

Threat Models

Attacks from Malicious Apps

2011/12/20 YLJ@adlab

11

Attacks from Web Pages(1/3) Through holes on the sandbox

all pages loaded in the WebView can call the same interface

DroidGap Still need permission

2011/12/20 YLJ@adlab

12

Attacks from Web Pages(2/3) Through Frame Confusion

2011/12/20 YLJ@adlab

13

Attacks from Web Pages(3/3) Through Frame Confusion

2011/12/20 YLJ@adlab

14

Attack from Malicious Apps(1/3) JavaScript Injection Event Sniffing and Hijacking

2011/12/20 YLJ@adlab

15

Attack from Malicious Apps(2/3)

JavaScript Injection Android app can inject arbitrary

JavaScript code into the pages loaded by the WebView component.

Extracting Information From WebView

2011/12/20 YLJ@adlab

16

Attack from Malicious Apps(3/3)

Event Sniffing and Hijacking WebView exposes an umber of hooks to

Android apps, allowing them to intercept events, and potentially change the consequences of events.

redirct URL

2011/12/20 YLJ@adlab

17

Case Studies

The goal is not to look for malicious or vulnerable apps, but instead to study how Android apps use WebView. Usage of WebView Usage of the WebView Hooks Usage of addJavascriptInterface

Dex2jar

2011/12/20 YLJ@adlab

18

Conclusion

In our on-going work, we are developing solutions to secure WebView

The goal is to defend against the attacks on WebView by building desirable security features in WebView.

2011/12/20 YLJ@adlab

192011/12/20 YLJ@adlab

202011/12/20 YLJ@adlab

212011/12/20 YLJ@adlab