Advertisement

BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews

  • Claudio RizzoEmail author
  • Lorenzo CavallaroEmail author
  • Johannes KinderEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)

Abstract

A Webview embeds a fully-fledged browser in a mobile application and allows that application to expose a custom interface to JavaScript code. This is a popular technique to build so-called hybrid applications, but it circumvents the usual security model of the browser: any malicious JavaScript code injected into the Webview gains access to the custom interface and can use it to manipulate the device or exfiltrate sensitive data. In this paper, we present an approach to systematically evaluate the possible impact of code injection attacks against Webviews using static information flow analysis. Our key idea is that we can make reasoning about JavaScript semantics unnecessary by instrumenting the application with a model of possible attacker behavior—the BabelView. We evaluate our approach on 25,000 apps from various Android marketplaces, finding 10,808 potential vulnerabilities in 4,997 apps. Taken together, the apps reported as problematic have over 3 billion installations worldwide. We manually validate a random sample of 50 apps and estimate that our fully automated analysis achieves a precision of 81% at a recall of 89%.

Keywords

Webview Javascript interface Injection Static analysis 

Notes

Acknowledgement

We would like to thank our shepherd, Angelos Stavrou, and the anonymous reviewers for their valuable feedback. We are grateful to Roberto Jordaney, Blake Loring, Duncan Mitchell, James Patrick-Evans, Feargus Pendlebury, and Versha Prakash for their help and their comments on earlier drafts of this paper. This work was in part supported by EPSRC grant EP/L022710/1 and a Google Faculty Award.

References

  1. 1.
    Allix, K., Bissyandé, T.F., Klein, J., Traon, Y.L.: Androzoo: collecting millions of Android apps for the research community. In: Proceedings of 13th International Conference on Mining Software Repositories (MSR), pp. 468–471. ACM (2016)Google Scholar
  2. 2.
    Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: ACM SIGPLAN Conference Programming Language Design and Implementation (PLDI), pp. 259–269. ACM (2014)Google Scholar
  3. 3.
    Ball, T., et al.: Thorough static analysis of device drivers. In: Proceedings of 2006 EuroSys Conference, pp. 73–85. ACM (2006)Google Scholar
  4. 4.
    Bhavani, A.B.: Cross-site scripting attacks on Android WebView. CoRR abs/1304.7451 (2013)Google Scholar
  5. 5.
    Brucker, A.D., Herzberg, M.: On the static analysis of hybrid mobile apps. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 72–88. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-30806-7_5CrossRefGoogle Scholar
  6. 6.
    Chin, E., Wagner, D.: Bifocals: analyzing WebView vulnerabilities in Android applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 138–159. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-05149-9_9CrossRefGoogle Scholar
  7. 7.
    Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why eve and mallory love Android: an analysis of Android SSL (in)security. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 50–61. ACM (2012)Google Scholar
  8. 8.
    Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: Annual Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  9. 9.
    Hassanshahi, B., Jia, Y., Yap, R.H.C., Saxena, P., Liang, Z.: Web-to-application injection attacks on Android: characterization and detection. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 577–598. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24177-7_29CrossRefGoogle Scholar
  10. 10.
    Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G.N.: Code injection attacks on HTML5-based mobile apps: characterization, detection and mitigation. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 66–77. ACM (2014)Google Scholar
  11. 11.
    Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-based mobile applications in Android. In: Desmedt, Y. (ed.) ISC 2013. LNCS, vol. 7807, pp. 309–318. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-27659-5_22CrossRefGoogle Scholar
  12. 12.
    Kinder, J., Veith, H.: Precise static analysis of untrusted driver binaries. In: Proceedings of 10th International Conference on Formal Methods in Computer-Aided Design (FMCAD), pp. 43–50 (2010)Google Scholar
  13. 13.
    Lee, S., Dolby, J., Ryu, S.: HybriDroid: static analysis framework for Android hybrid applications. In: Proc. IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 250–261. ACM (2016)Google Scholar
  14. 14.
    Li, T., et al.: Unleashing the walking dead: understanding cross-app remote infections on mobile WebViews. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2017)Google Scholar
  15. 15.
    Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android system. In: Annual Computer Security Applications Conference (ACSAC), pp. 343–352. ACM (2011)Google Scholar
  16. 16.
    Luo, T., Jin, X., Ananthanarayanan, A., Du, W.: Touchjacking attacks on Web in Android, iOS, and Windows phone. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) FPS 2012. LNCS, vol. 7743, pp. 227–243. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-37119-6_15CrossRefGoogle Scholar
  17. 17.
    Mutchler, P., Doupé, A., Mitchell, J., Kruegel, C., Vigna, G.: A large-scale study of mobile web app security. In: Proceedings of IEEE Symposium on Security and Privacy Workshops (SPW), Mobile Security Technologies (MoST). IEEE (2015)Google Scholar
  18. 18.
    Mutchler, P., Safaei, Y., Doupé, A., Mitchell, J.C.: Target fragmentation in Android apps. In: Proceedings of IEEE Symposium on Security and Privacy Workshops (SPW), Mobile Security Technologies (MoST), pp. 204–213. IEEE (2016)Google Scholar
  19. 19.
    MWR InfoSecurity: WebView addJavascriptInterface remote code execution, September 2013. https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
  20. 20.
    Neugschwandtner, M., Lindorfer, M., Platzer, C.: A view to a kill: WebView exploitation. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2013)Google Scholar
  21. 21.
    Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: HybridGuard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications. In: Proceedings of IEEE Symposium on Security and Privacy Workshops (SPW), Mobile Security Technologies (MoST) (2017)Google Scholar
  22. 22.
    Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing Android sources and sinks. In: Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2014)Google Scholar
  23. 23.
    Shehab, M., Jarrah, A.A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Proceedings of International Workshop on Mobile Development Lifecycle (MobileDeLi), pp. 1–8. ACM (2014)Google Scholar
  24. 24.
    Thomas, D.R.: The lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface (transcript of discussion). In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2015. LNCS, vol. 9379, pp. 139–144. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-26096-9_14CrossRefGoogle Scholar
  25. 25.
    Thomas, D.R., Beresford, A.R., Rice, A.C.: Security metrics for the Android ecosystem. In: Proceedings of ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 87–98. ACM (2015)Google Scholar
  26. 26.
    Tuncay, G.S., Demetriou, S., Gunter, C.A.: Draco: a system for uniform and fine-grained access control for web code on Android. In: Proceedings ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 104–115. ACM (2016)Google Scholar
  27. 27.
    Vallée-Rai, R. Co, P., Gagnon, E., Hendren, L.J., Lam, P., Sundaresan, V.: Soot - a Java bytecode optimization framework. In: Proceedings of Conference on Centre for Advanced Studies on Collaborative Research (CASCON), p. 13 (1999)Google Scholar
  28. 28.
    Wu, D., Liu, X., Xu, J., Lo, D., Gao, D.: Measuring the declared SDK versions and their consistency with API calls in Android apps. In: Ma, L., Khreishah, A., Zhang, Y., Yan, M. (eds.) WASA 2017. LNCS, vol. 10251, pp. 678–690. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-60033-8_58CrossRefGoogle Scholar
  29. 29.
    Yang, G., Huang, J., Gu, G.: Automated generation of event-oriented exploits in Android hybrid apps. In: Annual Network and Distributed System Security Symposium (NDSS) (2018)Google Scholar
  30. 30.
    Yang, G., Huang, J., Gu, G., Mendoza, A.: Study and mitigation of origin stripping vulnerabilities in hybrid-postmessage enabled mobile applications. In: Proceedings of IEEE Symposium on Security and Privacy (S&P) (2018)Google Scholar
  31. 31.
    Yang, G., Mendoza, A., Zhang, J., Gu, G.: Precisely and scalably vetting JavaScript bridge in Android hybrid apps. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017, pp. 143–166. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66332-6_7CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Royal Holloway, University of LondonEghamUK

Personalised recommendations