Touchjacking attacks on Web in Android, iOS, and Windows Phone

Tongbo Luo, Xing Jin, Ajai Ananthanarayanan, Wenliang Du

Research output: Chapter in Book/Report/Conference proceedingConference contribution

23 Scopus citations

Abstract

To make it easy for applications to interact with the Web, most mobile platforms, including Android, iOS, and Windows Phone, provide a mechanism that allows applications to embed a small but powerful browser component inside. This mechanism is called WebView in Android (it is called different names in other platforms). WebView implements a number of APIs that can be used by applications to interact with the web contents inside WebView. It has been pointed out by the previous work that malicious applications can use these APIs to attack the web contents inside WebView. Proposals are made by the previous work to fix the problems of those APIs. We have discovered that by fixing those APIs, WebView is still not secure. This is because the previous work only focuses on the APIs specifically designed for WebView; they have overlooked the APIs that WebView inherits from its super classes. These APIs are designed for the general-purposed user interface (UI) components, and they seem to pose no risk to those components; however, the combination of these APIs with the Web has led to new risks. We have identified several attacks based on these APIs. Our attacks are called Touchjacking attacks. They treat WebView as a blackbox, i.e., they do not use the APIs that are designed specifically for WebView; instead, they only use the inherited APIs. Through these APIs, malicious applications can attack the web contents inside WebView. The impact of the attacks is quite significant, as all the platforms that we have studied, including Android, iOS, and Windows Phone, are vulnerable to these attacks.

Original languageEnglish (US)
Title of host publicationFoundations and Practice of Security - 5th International Symposium, FPS 2012, Revised Selected Papers
Pages227-243
Number of pages17
DOIs
StatePublished - Apr 12 2013
Event5th International Symposium on Foundations and Practice of Security, FPS 2012 - Montreal, QC, Canada
Duration: Oct 25 2012Oct 26 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7743 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other5th International Symposium on Foundations and Practice of Security, FPS 2012
CountryCanada
CityMontreal, QC
Period10/25/1210/26/12

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'Touchjacking attacks on Web in Android, iOS, and Windows Phone'. Together they form a unique fingerprint.

  • Cite this

    Luo, T., Jin, X., Ananthanarayanan, A., & Du, W. (2013). Touchjacking attacks on Web in Android, iOS, and Windows Phone. In Foundations and Practice of Security - 5th International Symposium, FPS 2012, Revised Selected Papers (pp. 227-243). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7743 LNCS). https://doi.org/10.1007/978-3-642-37119-6_15