1 research outputs found
Cross Site Request Forgery on Android WebView
Android has always been about connectivity and providing great browsing
experience. Web-based content can be embedded into the Android application
using WebView. It is a User Interface component that displays webpages. It can
either display a remote webpage or can also load static HTML data. This
encompasses the functionality of a browser that can be integrated to
application. WebView provides a number of APIs which enables the applications
to interact with the web content inside WebView. In the current paper Cross
site request forgery or XSRF attack specific to android WebView is
investigated. In XSRF attack the trusts of a web application in its
authenticated users is exploited by letting the attacker make arbitrary HTTP
requests on behalf of a victim user. When the user is logged into the trusted
site through the WebView the site authenticates the WebView and not
application. The application can launch attacks on the behalf of user with the
APIs of Webview exploiting user credentials resulting in Cross site request
forgery. Attacks can also be launched by setting cookies as HTTP headers and
making malicious HTTP Request on behalf of victim