WEBVIEW VULNERABILITIES IN ANDROID APPLICATIONS

Erika Chin and David Wagner

UC Berkeley

2

ORGANIZATION

¢ WebViews

¢ Danger of WebViews

¢ Bifocals

¢ Results

¢ Common developer confusion

¢ Recommendations 3

WEBVIEWS

¢ Allow the developer to display web content within their own app

¢  70% of applications use WebViews

4

WEBVIEWS

5

iPhone

Android

Kindle Fire

Web app

ABILITY OF WEBVIEWS

6

¢ Developers can allow JavaScript in the WebView to invoke application code

¢ Gives websites access to system resources and data

EXAMPLE

Mobile app code: myWebView.addJavascriptInterface(!

! ! ! !new MobileClass(),!! ! ! !“Mc”);!

Web app code: <script>!

!Mc.mobileFunction(x,y,z);!</script>!

7

EXCESS AUTHORIZATION VULNERABILITY

¢ Code access is granted to any JavaScript loaded in the WebView1

¢ Web content can contain malicious JavaScript �  Frames �  User Navigation

¢ Network can be malicious (http vs. https) �  Man-in-the-middle attacker

8

1Luo, ACSAC

ALIVE APP EXAMPLE

9 Website

WebView

ALIVE APP EXAMPLE

10

WebView

App

3rd party content

Links

MITM Attacker

BIFOCALS

Two-part tool: Mobile and Web

1.  Statically analyzes app’s WebViews 2.  Dynamically analyzes loaded websites

11

Static Analysis

Exposes Interfaces

Web crawler URIs Vuln.

WebViews

BIFOCALS, PT. 1

¢ Flow-sensitive interprocedural static analysis

¢ Analyzes apps’ WebViews to determine: �  URI loaded �  Ability to navigate the web

�  Whether it grants access to code and privileged resources ¢ Transitive calls ¢ Returned objects ¢ Inheritance ¢ Java reflection

12

BIFOCALS, PT. 2

¢ Crawls websites to a nested depth of 3

¢ Dynamically analyzes loaded websites for: �  Insecure communication (http://) �  Third-party content

¢ Ads (via AdBlock) ¢ Frames ¢ Links

13

EVALUATION: PREVALENCE

¢ Ran our tool on ~1000 applications

¢  70% of applications use WebViews

¢  20% of applications with WebViews expose interfaces

¢  11% of apps with WebViews are vulnerable �  11% via network attacker (MITM) �  9% via web attacker

Over half of apps that register interfaces are vulnerable 14

EVALUATION: IMPACT

¢ By permission use

¢  56% of vulnerable apps give attackers access to privileged resources �  Access to unique device ID �  Access to the SD card �  Keeping the phone awake

15

SOURCE OF CONFUSION

¢ Registering an interface may expose more code than intended �  Any public method in the interface �  Transitive calls �  Parent classes �  Returned objects’ methods

16

SOURCE OF CONFUSION

¢ Developers may give more websites access to the mobile app than intended �  Embedded content – frames, ads �  Navigation

¢  Implicit changes to navigation policy ¢  Difficulties implementing policy

17

IMPLICIT CHANGES TO NAVIGABILITY

!

!

WebView webview = new WebView(…);!!webview.setWebViewClient(new ! !

!WebViewClient());!

18

NAVIGATION POLICY: UNNECESSARY CODE Default: public boolean shouldOverrideUrlLoading(WebView

!view, String url)!{! return false;!}! Overridden: public boolean shouldOverrideUrlLoading(WebView!

!view, String url)!{! view.loadUrl(url);! return true;!}! 19

DEVELOPER RECOMMENDATIONS

¢ Limit JavaScript in WebViews

¢ Limit navigability

¢ Limit access to application code

20

PLATFORM RECOMMENDATIONS

¢ Use a domain-based policy for interface access

¢ Approach �  Infer trusted domain �  Supplement with a whitelist

¢ Patches 60% of vulnerabilities found

21

CONCLUSION

¢ Mobile platforms provide powerful APIs to enable rich interaction in apps

¢ Developers may not realize the consequences of their design

¢ We need to help developers create secure apps

22

Thank you!

emc@cs.berkeley.edu

23