Access Control to Prevent Malicious JavaScript Code Exploiting Vulnerabilities of WebView in Android OS

Yu, Jing; Yamauchi, Toshihiro

doi:10.1587/transinf.2014icl0001

Cited by 6 publications

(6 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, this API makes it possible to invoke all the public methods in these Java objects from the JavaScript loaded within WebView. However, some attacks exploiting this API have been reported [4,[6][7][8]13,14]. To address these attacks and improve the security of WebView, some previous studies have proposed some access control mechanisms.…”

Section: Related Workmentioning

confidence: 99%

“…Moreover, Android app developers can set access permissions by specifying a resource's URL. Yu et al [7] have proposed an access control mechanism that can control the access to security-sensitive APIs in Android from the JavaScript code by controlling the registration of Java objects through addJavascriptInterface API. Draco [8] can control access to device resources from web content, which are of different web origins, so as to prevent the attack that exploits the addJavascriptInterface API.…”

Section: Related Workmentioning

confidence: 99%

“…Although WebView can use only Google Safe Browsing, this measure alone is not enough to protect web access via WebView, especially from fake virus alerts, which use malvertising to redirect the users to web pages and scam the users into installing the suspicious Android app. Moreover, previous studies have reported attacks exploiting WebView and presented countermeasures against these attacks [4][5][6][7][8][9][10][11][12][13][14][15][16]. Some studies have presented access control methods to prevent malicious JavaScript codes from exploiting the vulnerabilities of WebView [6][7][8] and to prevent app-repackage attacks in Cordova-based hybrid applications [9].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Web access monitoring mechanism via Android WebView for threat analysis

Imamura

Orito

Uekawa

et al. 2021

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

Many Android apps employ WebView, a component that enables the display of web content in the apps without redirecting users to web browser apps. However, WebView might also be used for cyberattacks. Moreover, to the best of our knowledge, although some countermeasures based on access control have been reported for attacks exploiting WebView, no mechanism for monitoring web access via WebView has been proposed and no analysis results focusing on web access via WebView are available. In consideration of this limitation, we propose a web access monitoring mechanism for Android WebView to analyze web access via WebView and clarify attacks exploiting WebView. In this paper, we present the design and implementation of this mechanism by modifying Chromium WebView without any modifications to the Android framework or Linux kernel. The evaluation results of the performance achieved on introducing the proposed mechanism are also presented here. Moreover, the result of threat analysis of displaying a fake virus alert while browsing websites on Android is discussed to demonstrate the effectiveness of the proposed mechanism.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Web access monitoring mechanism via Android WebView for threat analysis

Imamura

Orito

Uekawa

et al. 2021

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

show abstract

“…On the other hand, to improve the security of the Android platform, Backes et al [13], Nauman et al [14], Wang et al [15], Conti et al [16], Bugiel et al [17], and Yu et al [18] proposed fine-grained access control mechanisms on Android. In the range of control objects, previous researches [13], [14], [15], [16], [17], [18] showed that control can be achieved regardless of the Android application type. The proposed technique can control when an Android application uses the Cordova framework.…”

Section: Related Workmentioning

confidence: 99%

Access Control Mechanism to Mitigate Cordova Plugin Attacks in Hybrid Applications

Kudo

Yamauchi

Austin

2018

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

Hybrid application frameworks such as Cordova are more and more popular to create platform-independent applications (apps) because they provide special APIs to access device resources in a platform-agonistic way. By using these APIs, hybrid apps can access device resources through JavaScript. In this paper, we present a novel apprepackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova's plugin interface to steal and tamper with device resources. We address this attack and cross-site scripting attacks against hybrid apps. Since these attacks need to use plugins to access device resources, we refer to both of these attacks as Cordova plugin attacks. We further demonstrate a defense against Cordova plugin attacks through the use of a novel runtime access control mechanism that restricts access based on the mobile user's judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to Cordova plugin attacks. Moreover, we evaluate the effectiveness and performance of our mechanism.

show abstract

“…On the other hand, to improve security of Android, Backes et al [12], Nauman et al [13], Wang et al [14], Conti et al [15], Bugiel et al [16], and Yu et al [17] proposed fine-grained access control mechanisms on Android. Previous research modifies the Android OS and the Android framework, requiring mobile users to replace them with these defenses.…”

Section: Related Workmentioning

confidence: 99%

Access Control for Plugins in Cordova-Based Hybrid Applications

Kudo

Yamauchi

Austin

2017

2017 IEEE 31st International Conference on Advanced Information Networking and Applications (AINA)

Self Cite

View full text Add to dashboard Cite

Hybrid application frameworks such as Cordova allow mobile application (app) developers to create platformindependent apps. The code is written in JavaScript, with special APIs to access device resources in a platform-agnostic way. In this paper, we present a novel app-repackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova's plugin interface to tamper with device resources. We further demonstrate a defense against this attack through the use of a novel runtime access control mechanism that restricts access based on the mobile user's judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to app-repackaging attacks.

show abstract

Access Control to Prevent Malicious JavaScript Code Exploiting Vulnerabilities of WebView in Android OS

Cited by 6 publications

References 6 publications

Web access monitoring mechanism via Android WebView for threat analysis

Web access monitoring mechanism via Android WebView for threat analysis

Access Control Mechanism to Mitigate Cordova Plugin Attacks in Hybrid Applications

Access Control for Plugins in Cordova-Based Hybrid Applications

Contact Info

Product

Resources

About