TY - GEN
T1 - Attacks on WebView in the Android system
AU - Luo, Tongbo
AU - Hao, Hao
AU - Du, Wenliang
AU - Wang, Yifei
AU - Yin, Heng
PY - 2011
Y1 - 2011
N2 - WebView is an essential component in both Android and iOS platforms, enabling smartphone and tablet apps to embed a simple but powerful browser inside them. To achieve a better interaction between apps and their embedded"browsers", WebView provides a number of APIs, allowing code in apps to invoke and be invoked by the JavaScript code within the web pages, intercept their events, and modify those events. Using these features, apps can become customized "browsers" for their intended web applications. Currently, in the Android market, 86 percent of the top 20 most downloaded apps in 10 diverse categories use WebView. The design of WebView changes the landscape of theWeb, especially from the security perspective. Two essential pieces of the Web's security infrastructure are weakened if Web-View and its APIs are used: the Trusted Computing Base (TCB) at the client side, and the sandbox protection implemented by browsers. As results, many attacks can be launched either against apps or by them. The objective of this paper is to present these attacks, analyze their fundamental causes, and discuss potential solutions.
AB - WebView is an essential component in both Android and iOS platforms, enabling smartphone and tablet apps to embed a simple but powerful browser inside them. To achieve a better interaction between apps and their embedded"browsers", WebView provides a number of APIs, allowing code in apps to invoke and be invoked by the JavaScript code within the web pages, intercept their events, and modify those events. Using these features, apps can become customized "browsers" for their intended web applications. Currently, in the Android market, 86 percent of the top 20 most downloaded apps in 10 diverse categories use WebView. The design of WebView changes the landscape of theWeb, especially from the security perspective. Two essential pieces of the Web's security infrastructure are weakened if Web-View and its APIs are used: the Trusted Computing Base (TCB) at the client side, and the sandbox protection implemented by browsers. As results, many attacks can be launched either against apps or by them. The objective of this paper is to present these attacks, analyze their fundamental causes, and discuss potential solutions.
UR - http://www.scopus.com/inward/record.url?scp=84862909641&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84862909641&partnerID=8YFLogxK
U2 - 10.1145/2076732.2076781
DO - 10.1145/2076732.2076781
M3 - Conference contribution
AN - SCOPUS:84862909641
SN - 9781450306720
T3 - ACM International Conference Proceeding Series
SP - 343
EP - 352
BT - Proceedings - 27th Annual Computer Security Applications Conference, ACSAC 2011
T2 - 27th Annual Computer Security Applications Conference, ACSAC 2011
Y2 - 5 December 2011 through 9 December 2011
ER -