Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
WEBVIEW VULNERABILITIES IN ANDROID APPLICATIONS
Erika Chin and David Wagner
UC Berkeley
2
ORGANIZATION
¢ WebViews
¢ Danger of WebViews
¢ Bifocals
¢ Results
¢ Common developer confusion
¢ Recommendations 3
WEBVIEWS
¢ Allow the developer to display web content within their own app
¢ 70% of applications use WebViews
4
WEBVIEWS
5
iPhone
Android
Kindle Fire
Web app
ABILITY OF WEBVIEWS
6
¢ Developers can allow JavaScript in the WebView to invoke application code
¢ Gives websites access to system resources and data
EXAMPLE
Mobile app code: myWebView.addJavascriptInterface(!
! ! ! !new MobileClass(),!! ! ! !“Mc”);!
Web app code: <script>!
!Mc.mobileFunction(x,y,z);!</script>!
7
EXCESS AUTHORIZATION VULNERABILITY
¢ Code access is granted to any JavaScript loaded in the WebView1
¢ Web content can contain malicious JavaScript � Frames � User Navigation
¢ Network can be malicious (http vs. https) � Man-in-the-middle attacker
8
1Luo, ACSAC
ALIVE APP EXAMPLE
9 Website
WebView
ALIVE APP EXAMPLE
10
WebView
App
3rd party content
Links
MITM Attacker
BIFOCALS
Two-part tool: Mobile and Web
1. Statically analyzes app’s WebViews 2. Dynamically analyzes loaded websites
11
Static Analysis
Exposes Interfaces
Web crawler URIs Vuln.
WebViews
BIFOCALS, PT. 1
¢ Flow-sensitive interprocedural static analysis
¢ Analyzes apps’ WebViews to determine: � URI loaded � Ability to navigate the web
� Whether it grants access to code and privileged resources ¢ Transitive calls ¢ Returned objects ¢ Inheritance ¢ Java reflection
12
BIFOCALS, PT. 2
¢ Crawls websites to a nested depth of 3
¢ Dynamically analyzes loaded websites for: � Insecure communication (http://) � Third-party content
¢ Ads (via AdBlock) ¢ Frames ¢ Links
13
EVALUATION: PREVALENCE
¢ Ran our tool on ~1000 applications
¢ 70% of applications use WebViews
¢ 20% of applications with WebViews expose interfaces
¢ 11% of apps with WebViews are vulnerable � 11% via network attacker (MITM) � 9% via web attacker
Over half of apps that register interfaces are vulnerable 14
EVALUATION: IMPACT
¢ By permission use
¢ 56% of vulnerable apps give attackers access to privileged resources � Access to unique device ID � Access to the SD card � Keeping the phone awake
15
SOURCE OF CONFUSION
¢ Registering an interface may expose more code than intended � Any public method in the interface � Transitive calls � Parent classes � Returned objects’ methods
16
SOURCE OF CONFUSION
¢ Developers may give more websites access to the mobile app than intended � Embedded content – frames, ads � Navigation
¢ Implicit changes to navigation policy ¢ Difficulties implementing policy
17
IMPLICIT CHANGES TO NAVIGABILITY
!
!
WebView webview = new WebView(…);!!webview.setWebViewClient(new ! !
!WebViewClient());!
18
NAVIGATION POLICY: UNNECESSARY CODE Default: public boolean shouldOverrideUrlLoading(WebView
!view, String url)!{! return false;!}! Overridden: public boolean shouldOverrideUrlLoading(WebView!
!view, String url)!{! view.loadUrl(url);! return true;!}! 19
DEVELOPER RECOMMENDATIONS
¢ Limit JavaScript in WebViews
¢ Limit navigability
¢ Limit access to application code
20
PLATFORM RECOMMENDATIONS
¢ Use a domain-based policy for interface access
¢ Approach � Infer trusted domain � Supplement with a whitelist
¢ Patches 60% of vulnerabilities found
21
CONCLUSION
¢ Mobile platforms provide powerful APIs to enable rich interaction in apps
¢ Developers may not realize the consequences of their design
¢ We need to help developers create secure apps
22