Detection of Vulnerabilities Caused by WebView Exploitation in Smartphone

Abstract

WebView is an essential component in Smartphone platforms, which enables the Smartphone applications (apps) to embed a simple yet powerful web browser inside them. In addition, it also enables rich interactions between apps and the web pages that are loaded on the WebView. To achieve this interaction, WebView provides a number of APIs that allow code in apps to invoke and be invoked by the JavaScript code within the web pages and to intercept and modify the events that occur within the web pages. With the help of these rich features, apps can become customized browsers for their intended web applications. However, the design of WebView changes the landscape of the Web, especially from the security perspective. Two essential components of the Web's security infrastructure are the Trusted Computing Base (TCB) and the sandbox protection. These are weakened upon the usage of WebView and its associated APIs. As a result, malicious attacks can be launched either against the apps or by the apps through the usage of WebView. The objective of this work is to explore and demonstrate such malicious attacks and to build a system that performs automated static analysis on apps for detecting WebView related vulnerabilities.