Proposing and Testing New Security Cue Designs for OAuth-WebView-Embedded Mobile Applications

Today, many online service providers use the WebView-OAuth implementation in their Software Development Kits (SDKs) to seamlessly integrate their services into mobile applications. This approach was proven to be a target to JavaScript injection attacks that could lead into users losing their credentials or tricked into authorizing suspicious apps on their accounts. A number of solutions came out to countermeasure these attacks. However, the majority of these solutions do not involve the users in making the prevention decision and/or do not communicate the taken decision to them. That is because of two reasons: first, the focus of these works were mainly on detecting and preventing the attacks. Second, because of the lack of effective security cue designs for the WebView-based applications context. In this paper, we aim at investigating different security cue designs to aid with keeping the users informed of whatever these solutions are practicing. Finding an effective security cue design in the mobile browsers is challenging and more so for the WebView browsers. Thus, in this work, we are proposing and testing a number of security cue designs based on their understandability, noticeability, and effectiveness by conducting an online user study of 465 users. Our study found that some of the proposed security cue designs were truly noticeably, understandable and effective in alerting users of any suspicious activity. We highly recommend these security designs to be used by numerous security tools that detect and/or prevent WebView-based attacks.