2018
DOI: 10.1007/978-3-030-00470-5_2
|View full text |Cite
|
Sign up to set email alerts
|

BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews

Abstract: A Webview embeds a fully-edged browser in a mobile application and allows that application to expose a custom interface to JavaScript code. This is a popular technique to build so-called hybrid applications, but it circumvents the usual security model of the browser: any malicious JavaScript code injected into the Webview gains access to the custom interface and can use it to manipulate the device or ex ltrate sensitive data. In this paper, we present an approach to systematically evaluate the possible impact … Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
7
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
3
3
1

Relationship

0
7

Authors

Journals

citations
Cited by 16 publications
(7 citation statements)
references
References 26 publications
0
7
0
Order By: Relevance
“…Wu and Chang [27] further studied the WebView vulnerabilities on the iOS platform. There are also many techniques to prevent private data from leaking through JavaScript, for example, BavelView [21], Spartan Jester [22], and HybriDroid [15]. Most of the past research focused on the interaction between Java and JavaScript but not on the usability security of the in-app browsing interfaces.…”
Section: Related Workmentioning
confidence: 99%
“…Wu and Chang [27] further studied the WebView vulnerabilities on the iOS platform. There are also many techniques to prevent private data from leaking through JavaScript, for example, BavelView [21], Spartan Jester [22], and HybriDroid [15]. Most of the past research focused on the interaction between Java and JavaScript but not on the usability security of the in-app browsing interfaces.…”
Section: Related Workmentioning
confidence: 99%
“…An application needs to have ATS (Apps Transport Security) enabled to have secure communication. Insufficient transport security can lead to great impact on confidentiality of users' information, more specifically, this is a wide area of research in respect to the practice of data transmission of eHealth apps [29], as well as safety issues regarding data integrity [30], [31]. In case of iOS, this is a privacy feature that should be enabled by default when new apps are installed and enforces secure connections.…”
Section: Static Analysismentioning
confidence: 99%
“…After the apps' transport security analysis, we can see that some of the apps' App Transport Security (ATS) is disabled on the domain "NSAllowsArbitraryLoads:' True. Deactivating ATS means allowing insecure communication with particular unauthorized servers, and therefore allowing insecure media loads for apps web views [31]. Table 4 shows the result of ATS issues, status with description.…”
Section: Dynamic Analysismentioning
confidence: 99%
“…If this is the case, the algorithm extracts i) the WebView object from which the addJavascriptInterface method is invoked (row 17), and ii) the Java object injected in the JavascriptInterface (row 18). After that, the algorithm needs to detect if the Java object injected in the interface contains public methods that can potentially be accessed from JavaScript code (rows [19][20][21][22][23][24][25][26][27]. Moreover, in case of apps targeted to API level 17 or above, the public methods of the object need to be further annotated with the @javascriptinterface tag (rows [19][20][21][22].…”
Section: Detection Algorithmmentioning
confidence: 99%
“…proposed HybriDroid [18], a static analysis framework that examines the inter-communication between the native and the web counterpart of the app to identify development bugs or potential leaks of sensitive information. Other works, like [27], [8], and [35] propose some detection methodologies for code injection attacks based on app-instrumentation or machine learning techniques. However, any of the proposed static analysis techniques suffer from the over-approximation of the app execution paths which drastically reduce the accuracy due to a high rate of false positives [19].…”
Section: Related Workmentioning
confidence: 99%