Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

Drew Davidson, Yaohui Chen, F. George, Long Lu, S. Jha
{"title":"Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems","authors":"Drew Davidson, Yaohui Chen, F. George, Long Lu, S. Jha","doi":"10.1145/3052973.3052998","DOIUrl":null,"url":null,"abstract":"A majority of today's mobile apps integrate web content of various kinds. Unfortunately, the interactions between app code and web content expose new attack vectors: a malicious app can subvert its embedded web content to steal user secrets; on the other hand, malicious web content can use the privileges of its embedding app to exfiltrate sensitive information such as the user's location and contacts. In this paper, we discuss security weaknesses of the interface between app code and web content through attacks, then introduce defenses that can be deployed without modifying the OS. Our defenses feature WIREframe, a service that securely embeds and renders external web content in Android apps, and in turn, prevents attacks between em- bedded web and host apps. WIREframe fully mediates the interface between app code and embedded web content. Un- like the existing web-embedding mechanisms, WIREframe allows both apps and embedded web content to define simple access policies to protect their own resources. These policies recognize fine-grained security principals, such as origins, and control all interactions between apps and the web. We also introduce WIRE (Web Isolation Rewriting Engine), an offline app rewriting tool that allows app users to inject WIREframe protections into existing apps. Our evaluation, based on 7166 popular apps and 20 specially selected apps, shows these techniques work on complex apps and incur acceptable end-to-end performance overhead.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3052973.3052998","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 19

Abstract

A majority of today's mobile apps integrate web content of various kinds. Unfortunately, the interactions between app code and web content expose new attack vectors: a malicious app can subvert its embedded web content to steal user secrets; on the other hand, malicious web content can use the privileges of its embedding app to exfiltrate sensitive information such as the user's location and contacts. In this paper, we discuss security weaknesses of the interface between app code and web content through attacks, then introduce defenses that can be deployed without modifying the OS. Our defenses feature WIREframe, a service that securely embeds and renders external web content in Android apps, and in turn, prevents attacks between em- bedded web and host apps. WIREframe fully mediates the interface between app code and embedded web content. Un- like the existing web-embedding mechanisms, WIREframe allows both apps and embedded web content to define simple access policies to protect their own resources. These policies recognize fine-grained security principals, such as origins, and control all interactions between apps and the web. We also introduce WIRE (Web Isolation Rewriting Engine), an offline app rewriting tool that allows app users to inject WIREframe protections into existing apps. Our evaluation, based on 7166 popular apps and 20 specially selected apps, shows these techniques work on complex apps and incur acceptable end-to-end performance overhead.
商品移动操作系统上Web内容和应用程序的安全集成
今天的大多数移动应用程序都集成了各种各样的网络内容。不幸的是,应用程序代码和网页内容之间的交互暴露了新的攻击媒介:恶意应用程序可以破坏其嵌入的网页内容以窃取用户机密;另一方面,恶意的网络内容可以利用其嵌入的应用程序的特权来泄露用户的位置和联系人等敏感信息。在本文中,我们通过攻击讨论了应用程序代码和web内容之间的接口的安全弱点,然后介绍了无需修改操作系统即可部署的防御措施。我们的防御功能是WIREframe,一种在Android应用程序中安全地嵌入和呈现外部web内容的服务,反过来,防止嵌入式web和主机应用程序之间的攻击。线框完全协调了应用程序代码和嵌入式web内容之间的接口。与现有的web嵌入机制不同,WIREframe允许应用程序和嵌入的web内容定义简单的访问策略来保护它们自己的资源。这些策略识别细粒度的安全原则,例如来源,并控制应用程序和web之间的所有交互。我们还介绍了WIRE (Web Isolation重写引擎),这是一个离线应用重写工具,允许应用用户将线框保护注入到现有应用中。我们基于7166个流行应用程序和20个特别挑选的应用程序进行了评估,结果显示,这些技术在复杂的应用程序上也能起作用,并且会产生可接受的端到端性能开销。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信