Abstract
WebViews allow Android developers to embed a webpage within an application, seamlessly integrating native application code with HTML and JavaScript web content. While this rich interaction simplifies developer support for multiple platforms, it exposes applications to attack. In this paper, we explore two WebView vulnerabilities: excess authorization, where malicious JavaScript can invoke Android application code, and file-based cross-zone scripting, which exposes a device's file system to an attacker. We build a tool, Bifocals, to detect these vulnerabilities and characterize the prevalence of vulnerable code. We found 67 applications with WebView-related vulnerabilities (11 % of applications containing WebViews). Based on our findings, we suggest a modification to WebView security policies that would protect over 60 % of the vulnerable applications with little burden on developers. © 2014 Springer International Publishing Switzerland.
Author supplied keywords
Cite
CITATION STYLE
Chin, E., & Wagner, D. (2014). Bifocals: Analyzing webview vulnerabilities in android applications. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8267 LNCS, pp. 138–159). Springer Verlag. https://doi.org/10.1007/978-3-319-05149-9_9
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
