iPhish: phishing vulnerabilities on consumer electronics
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
The effectiveness of application permissions
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
Attacks on WebView in the Android system
Proceedings of the 27th Annual Computer Security Applications Conference
Mediums: visual integrity preserving framework
Proceedings of the third ACM conference on Data and application security and privacy
Mediums: visual integrity preserving framework
Proceedings of the third ACM conference on Data and application security and privacy
Unauthorized origin crossing on mobile platforms: threats and mitigation
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
AFrame: isolating advertisements from mobile applications in Android
Proceedings of the 29th Annual Computer Security Applications Conference
Securing embedded user interfaces: Android and beyond
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
To make it easy for applications to interact with the Web, most mobile platforms, including Android, iOS, and Windows Phone, provide a mechanism that allows applications to embed a small but powerful browser component inside. This mechanism is called WebView in Android (it is called different names in other platforms). WebView implements a number of APIs that can be used by applications to interact with the web contents inside WebView. It has been pointed out by the previous work that malicious applications can use these APIs to attack the web contents inside WebView. Proposals are made by the previous work to fix the problems of those APIs. We have discovered that by fixing those APIs, WebView is still not secure. This is because the previous work only focuses on the APIs specifically designed for WebView; they have overlooked the APIs that WebView inherits from its super classes. These APIs are designed for the general-purposed user interface (UI) components, and they seem to pose no risk to those components; however, the combination of these APIs with the Web has led to new risks. We have identified several attacks based on these APIs. Our attacks are called Touchjacking attacks. They treat WebView as a blackbox, i.e., they do not use the APIs that are designed specifically for WebView; instead, they only use the inherited APIs. Through these APIs, malicious applications can attack the web contents inside WebView. The impact of the attacks is quite significant, as all the platforms that we have studied, including Android, iOS, and Windows Phone, are vulnerable to these attacks.