Skip to main content

Exploiting Android Browser

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2023)

Abstract

Android permission is a system of safeguards designed to restrict access to potentially sensitive data and privileged components. While third-party applications are restricted from accessing privileged resources without appropriate permissions, mobile browsers are treated by Android OS differently. Android mobile browsers are the privileged applications that have access to sensitive data based on the permissions implicitly granted to them. In this paper, we present a novel attack approach that allows a permission-less app to access sensitive data and privileged resources using mobile browsers as a proxy. We demonstrate the effectiveness of our proxy attack on 8 mobile browsers across 12 Android devices ranging from Android 8.1 to Android 13. Our findings show that all current versions of Android mobile browsers are susceptible to this attack. The findings of this study highlight the need for improved security measures in Android browsers to protect against privilege escalation and privacy leakage.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/thecyberlab/androidproxyattack.

  2. 2.

    CVE-2021-0954: https://www.cvedetails.com/cve/CVE-2021-0954/, CVE-2021-39692: https://www.cvedetails.com/cve/CVE-2021-39692/,.

  3. 3.

    https://play.google.com/store/apps/details?id=com.antivirus.

  4. 4.

    https://play.google.com/store/apps/details?id=org.malwarebytes.antimalware.

  5. 5.

    https://play.google.com/store/apps/details?id=pl.revanmj.toastsource.

  6. 6.

    https://oneplus.custhelp.com/app/ask.

References

  1. Aafer, Y., Tao, G., Huang, J., Zhang, X., Li, N.: Precise Android API protection mapping derivation and reasoning. In: Proceedings of the 2018 ACM SIGSAC CCS, pp. 1151–1164. ACM, New York (2018)

    Google Scholar 

  2. Aldoseri, A., Oswald, D.: Insecure://vulnerability analysis of URI scheme handling in Android mobile browsers. In: Proceedings of the Workshop on MADWeb (2022)

    Google Scholar 

  3. Alepis, E., Patsakis, C.: Trapped by the UI: the Android case. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 334–354. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_15

    Chapter  Google Scholar 

  4. Android: Permissions on Android (2022). https://developer.android.com/guide/topics/permissions/overview#system-components

  5. Backes, M., Bugiel, S., Derr, E., Mcdaniel, P., Octeau, D., Weisgerber, S.: On demystifying the Android application framework: re-visiting Android permission specification analysis. In: USENIX Security Symposium (2016)

    Google Scholar 

  6. Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the Android user interface. In: 2015 IEEE Symposium on Security and Privacy, pp. 931–948 (2015)

    Google Scholar 

  7. Block, K., Narain, S., Noubir, G.: An autonomic and permissionless Android covert channel. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 184–194 (2017)

    Google Scholar 

  8. Block, K., Noubir, G.: My magnetometer is telling you where I’ve been? A mobile device permissionless location attack. In: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pp. 260–270 (2018)

    Google Scholar 

  9. Calciati, P., Kuznetsov, K., Gorla, A., Zeller, A.: Automatically granted permissions in Android apps: an empirical study on their prevalence and on the potential threats for privacy. In: Proceedings of the 17th International Conference on MSR, pp. 114–124. ACM, New York (2020)

    Google Scholar 

  10. Contributors, M.: Navigator: devicememory property (2023). https://developer.mozilla.org/en-US/docs/Web/API/Navigator/deviceMemory

  11. DB, G.: https://www.geolocation-db.com/documentation

  12. Egners, A., Meyer, U., Marschollek, B.: Messing with Android’s permission model. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 505–514. IEEE (2012)

    Google Scholar 

  13. Felt, A.P., Wagner, D.: Phishing on mobile devices. In: W2SP (2011)

    Google Scholar 

  14. Fernandes, E., et al.: Android UI deception revisited: attacks and defenses. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 41–59. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_3

    Chapter  Google Scholar 

  15. Fratantonio, Y., Qian, C., Chung, S.P., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1041–1057. IEEE (2017)

    Google Scholar 

  16. Garg, S., Baliyan, N.: Comparative analysis of Android and iOS from security viewpoint. Comput. Sci. Rev. 40, 100372 (2021)

    Article  Google Scholar 

  17. Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in Android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30921-2_17

    Chapter  Google Scholar 

  18. GOOGLE: Permissions and APIs that Access Sensitive Information (2020). https://support.google.com/googleplay/android-developer/answer/9888170?hl=en &ref_topic=9877467

  19. Google: Android developers reference (2022). https://developer.android.com/reference/android/R.attr#protectionLevel

  20. Google: Android Security Bulletin-December 2021 (2022). https://source.android.com/docs/security/bulletin/2021-12-01#system

  21. Google: Android Security Bulletin-March 2022 (2022). https://source.android.com/docs/security/bulletin/2022-03-01#framework

  22. Google: Android Security Bulletin-September 2017 (2022). https://source.android.com/docs/security/bulletin/2017-09-01#2017-09-01-details

  23. Google: Android Debug Bridge (ADB) (2023). https://developer.android.com/studio/command-line/adb

  24. Google: Behavior changes: all apps (2023). https://developer.android.com/about/versions/12/behavior-changes-all#untrusted-touch-events

  25. Google: Features and APIs Overview (2023). https://developer.android.com/about/versions/12/features#pixel-phishing-detection

  26. Google: Tapjacking (2023). https://developer.android.com/topic/security/risks/tapjacking

  27. GOOGLE: Use of the broad package (App) visibility (QUERY_ALL_PACKAGES) permission (2023). https://support.google.com/googleplay/android-developer/answer/10158779?hl=en

  28. Google: View(Security) (2023). https://developer.android.com/reference/android/view/View#security

  29. Hartzheim, A.: Technical analysis of duckduckgo privacy essentials (part 1) (2021). https://austinhartzheim.me/blog/2021/06/27/ddg-technical-analysis-part-1.html

  30. Hassanshahi, B., Jia, Y., Yap, R.H.C., Saxena, P., Liang, Z.: Web-to-application injection attacks on Android: characterization and detection. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 577–598. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_29

    Chapter  Google Scholar 

  31. Li, L., Bissyandé, T.F., Le Traon, Y., Klein, J.: Accessing inaccessible Android APIs: an empirical study. In: 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 411–422 (2016)

    Google Scholar 

  32. Luo, T., Jin, X., Ananthanarayanan, A., Du, W.: Touchjacking attacks on web in Android, iOS, and Windows phone. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) FPS 2012. LNCS, vol. 7743, pp. 227–243. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37119-6_15

    Chapter  Google Scholar 

  33. Narain, S., Vo-Huu, T.D., Block, K., Noubir, G.: Inferring user routes and locations using zero-permission mobile sensors. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 397–413. IEEE (2016)

    Google Scholar 

  34. Niemietz, M., Schwenk, J.: UI Redressing Attacks on Android Devices. Black Hat Abu Dhabi (2012)

    Google Scholar 

  35. Olejnik, Ł, Acar, G., Castelluccia, C., Diaz, C.: The leaking battery: a privacy analysis of the HTML5 battery status API. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29883-2_18

    Chapter  Google Scholar 

  36. Possemato, A., Lanzi, A., Chung, S.P.H., Lee, W., Fratantonio, Y.: Clickshield: are you hiding something? Towards eradicating clickjacking on Android. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1120–1136 (2018)

    Google Scholar 

  37. Qiu, Y.: Tapjacking: an untapped threat in Android. Trend Micro, [H\(\lambda \)\(\varepsilon \)\(\kappa \)\(\tau \)\(\rho \)o\(\nu \)\(\iota \)\(\kappa \)ó] (2012). http://blog.trendmicro.com/trendlabs-security-intelligence/tapjacking-an-untapped-threat-inandroid/. [\(\Pi \)\(\rho \)ó\(\sigma \)\(\beta \)\(\alpha \)\(\sigma \)\(\eta \) 7 12 2016]

  38. Reardon, D.: Measuring the prevalence of browser fingerprinting within browser extensions (2018)

    Google Scholar 

  39. Rydstedt, G., Gourdin, B., Bursztein, E., Boneh, D.: Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, pp. 1–8 (2010)

    Google Scholar 

  40. Shao, Y., Chen, Q.A., Mao, Z.M., Ott, J., Qian, Z.: Kratos: discovering inconsistent security policy enforcement in the Android framework. In: NDSS (2016)

    Google Scholar 

  41. Statista: Mobile Android operating system market share by version worldwide from January 2018 to January 2023 (2023). https://www.statista.com/statistics/921152/mobile-android-version-share-worldwide/

  42. Wang, S., et al.: Implication of animation on Android security. In: 2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS), pp. 1122–1132 (2022)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Animesh Kar .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kar, A., Stakhanova, N. (2023). Exploiting Android Browser. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol 14342. Springer, Singapore. https://doi.org/10.1007/978-981-99-7563-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-7563-1_8

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-7562-4

  • Online ISBN: 978-981-99-7563-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics