Attacks on WebView in the Android system

Asia-Pacific Computer Systems Architecture Conference Pub Date : 2011-12-05 DOI:10.1145/2076732.2076781

Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, Heng Yin

{"title":"Attacks on WebView in the Android system","authors":"Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, Heng Yin","doi":"10.1145/2076732.2076781","DOIUrl":null,"url":null,"abstract":"WebView is an essential component in both Android and iOS platforms, enabling smartphone and tablet apps to embed a simple but powerful browser inside them. To achieve a better interaction between apps and their embedded \"browsers\", WebView provides a number of APIs, allowing code in apps to invoke and be invoked by the JavaScript code within the web pages, intercept their events, and modify those events. Using these features, apps can become customized \"browsers\" for their intended web applications. Currently, in the Android market, 86 percent of the top 20 most downloaded apps in 10 diverse categories use WebView.\n The design of WebView changes the landscape of the Web, especially from the security perspective. Two essential pieces of the Web's security infrastructure are weakened if WebView and its APIs are used: the Trusted Computing Base (TCB) at the client side, and the sandbox protection implemented by browsers. As results, many attacks can be launched either against apps or by them. The objective of this paper is to present these attacks, analyze their fundamental causes, and discuss potential solutions.","PeriodicalId":397003,"journal":{"name":"Asia-Pacific Computer Systems Architecture Conference","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"194","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Asia-Pacific Computer Systems Architecture Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2076732.2076781","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 194

Abstract

WebView is an essential component in both Android and iOS platforms, enabling smartphone and tablet apps to embed a simple but powerful browser inside them. To achieve a better interaction between apps and their embedded "browsers", WebView provides a number of APIs, allowing code in apps to invoke and be invoked by the JavaScript code within the web pages, intercept their events, and modify those events. Using these features, apps can become customized "browsers" for their intended web applications. Currently, in the Android market, 86 percent of the top 20 most downloaded apps in 10 diverse categories use WebView. The design of WebView changes the landscape of the Web, especially from the security perspective. Two essential pieces of the Web's security infrastructure are weakened if WebView and its APIs are used: the Trusted Computing Base (TCB) at the client side, and the sandbox protection implemented by browsers. As results, many attacks can be launched either against apps or by them. The objective of this paper is to present these attacks, analyze their fundamental causes, and discuss potential solutions.

查看原文本刊更多论文

攻击Android系统中的WebView

WebView是Android和iOS平台上必不可少的组件，它使智能手机和平板电脑应用程序能够在其中嵌入一个简单但功能强大的浏览器。为了在应用程序和它们嵌入的“浏览器”之间实现更好的交互，WebView提供了许多api，允许应用程序中的代码调用和被网页中的JavaScript代码调用，拦截它们的事件，并修改这些事件。使用这些功能，应用程序可以为其预期的web应用程序定制“浏览器”。目前，在Android市场的10个不同类别中，下载量排名前20的应用中有86%使用WebView。WebView的设计改变了Web的格局，特别是从安全的角度来看。如果使用WebView及其api, Web安全基础设施的两个基本部分将被削弱:客户端的可信计算基础(TCB)和浏览器实现的沙盒保护。因此，许多攻击既可以针对应用程序，也可以由应用程序发起。本文的目的是提出这些攻击，分析其根本原因，并讨论潜在的解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Asia-Pacific Computer Systems Architecture Conference

自引率

0.00%

发文量