You've been warned: an empirical study of the effectiveness of web browser phishing warnings
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
On lightweight mobile phone application certification
Proceedings of the 16th ACM conference on Computer and communications security
Analyzing inter-application communication in Android
MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services
The effectiveness of application permissions
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
ZOZZLE: fast and precise in-browser JavaScript malware detection
SEC'11 Proceedings of the 20th USENIX conference on Security
Android permissions demystified
Proceedings of the 18th ACM conference on Computer and communications security
Detecting repackaged smartphone applications in third-party android marketplaces
Proceedings of the second ACM conference on Data and Application Security and Privacy
Measuring SSL indicators on mobile browsers: extended life, or end of the road?
ISC'12 Proceedings of the 15th international conference on Information Security
Hi-index | 0.00 |
The distinction between mobile applications built for specific platforms and that run in mobile browsers is increasingly being blurred. As HTML5 becomes universally deployed and mobile web apps directly take advantage of device features such as the camera, microphone and geolocation information, this difference will vanish almost entirely. In spite of this increasing similarity, the permission systems protecting mobile device resources for native1 and web apps are dramatically different. In this position paper, we argue that the increasing indistinguishability between such apps coupled with the dynamic nature of mobile web apps calls for reconsidering the current permission model for mobile web apps. We first discuss factors associated with securing mobile web apps in comparison to traditional apps. We then propose a mechanism that presents a holistic view of the permissions required by a web app and provides a simple, single-stop permission management process. We then briefly discuss issues surrounding the use and deployment of this technique. In so doing, we argue that in the absence of an in-cloud security model for mobile web apps, client side defenses are limited. Our model can provide users with a better chance of making informed security decisions and may also aid researchers in assessing security of mobile web apps.