Attacks on WebView in the Android System

WebView is an essential component in both Android and iOS platforms, enabling smartphone and tablet apps to embed a simple but powerful browser inside them. To achieve a better interaction between apps and their embedded\browsers , WebView provides a number of APIs, allowing code in apps to invoke and be invoked by the JavaScript code within the web pages, intercept their events, and modify those events. Using these features, apps can become customized \browsers for their intended web applications. Currently, in the Android market, 86 percent of the top 20 most downloaded apps in 10 diverse categories use WebView. The design ofWebView changes the landscape of theWeb, especially from the security perspective. Two essential pieces of the Web\u27s security infrastructure are weakened if Web- View and its APIs are used: the Trusted Computing Base (TCB) at the client side, and the sandbox protection implemented by browsers. As results, many attacks can be launched either against apps or by them. The objective of this paper is to present these attacks, analyze their fundamental causes, and discuss potential solutions

ATTACKS AND COUNTERMEASURES FOR WEBVIEW ON MOBILE SYSTEMS

ABSTRACT All the mainstream mobile operating systems provide a web container, called ``WebView\u27\u27. This Web-based interface can be included as part of the mobile application to retrieve and display web contents from remote servers. WebView not only provides the same functionalities as web browser, more importantly, it enables rich interactions between mobile apps and webpages loaded inside WebView. Through its APIs, WebView enables the two-way interaction. However, the design of WebView changes the landscape of the Web, especially from the security perspective. This dissertation conducts a comprehensive and systematic study of WebView\u27s impact on web security, with a particular focus on identifying its fundamental causes. This dissertation discovers multiple attacks on WebView, and proposes new protection models to enhance the security of WebView. The design principles of these models are also described as well as the prototype implementation in Android platform. Evaluations are used to demonstrate the effectiveness and performance of these protection models