Reliable Ad Hoc Smartphone Application Creation for End Users

Nadkarni, Adwait; Verma, Akash; Tendulkar, Vasant; Enck, William

doi:10.1201/b21885-3

Cited by 3 publications

(5 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The proposed solutions isolate ads from hosting app by placing ads in a separate process or app. NativeWrap [18] expands the similar isolation to cover web applications in WebViews. Our work also uses process boundaries to separate apps and web content, but is compatible with all kinds of WebView usages and considers both web-to-app and app-to-web attacks.…”

Section: Related Workmentioning

confidence: 99%

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

Davidson

Chen

Franklin

et al. 2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

A majority of today's mobile apps integrate web content of various kinds. Unfortunately, the interactions between app code and web content expose new attack vectors: a malicious app can subvert its embedded web content to steal user secrets; on the other hand, malicious web content can use the privileges of its embedding app to exfiltrate sensitive information such as the user's location and contacts. In this paper, we discuss security weaknesses of the interface between app code and web content through attacks, then introduce defenses that can be deployed without modifying the OS. Our defenses feature WIREframe, a service that securely embeds and renders external web content in Android apps, and in turn, prevents attacks between embedded web and host apps. WIREframe fully mediates the interface between app code and embedded web content. Unlike the existing web-embedding mechanisms, WIREframe allows both apps and embedded web content to define simple access policies to protect their own resources. These policies recognize fine-grained security principals, such as origins, and control all interactions between apps and the web. We also introduce WIRE (Web Isolation Rewriting Engine), an offline app rewriting tool that allows app users to inject WIREframe protections into existing apps. Our evaluation, based on 7166 popular apps and 20 specially selected apps, shows these techniques work on complex apps and incur acceptable end-to-end performance overhead.

show abstract

Section: Related Workmentioning

confidence: 99%

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

Davidson

Chen

Franklin

et al. 2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Some research efforts also specifically target hybrid application security [12,14,22,23], but the field is still in its infancy.…”

Section: Mobile Application Securitymentioning

confidence: 99%

“…Aside from a handful of researcher efforts such as [22] and [23] that focus on security additions for hybrid app TNCs, hybrid app security research is lacking [22]. Jain and Shanbhag [9] highlight several security issues affecting mobile applications (native and web) that include client-side injection, weak server-side controls, improper session handling, security decisions via untrusted input, sidechannel data leakage, and insecure data storage, among others.…”

Section: Mobile Application Securitymentioning

confidence: 99%

“…They point to the need for better vulnerability analysis within TNCs. Nadkarni [23] proposes an application wrapping architecture that embeds an arbitrary website within a hybrid app and distributes it as an application package. Their approach is useful for limiting permissions to web apps, but doesn't address security issues with hybrid apps or TNCs themselves.…”

Section: Mobile Application Securitymentioning

confidence: 99%

See 1 more Smart Citation

A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services

Hale

Hanson

2015

2015 IEEE World Congress on Services

View full text Add to dashboard Cite

Web traffic is increasingly trending towards mobile devices driving developers to tailor web content to small screens and customize web apps using mobile-only capabilities such as geo-location, accelerometers, offline storage, and camera features. Hybrid apps provide a cross-platform, device independent, means for developers to utilize these features. They work by wrapping web-based code, i.e., HTML5, CSS, and JavaScript, in thin native containers that expose device features. This design pattern encourages re-use of existing code, reduces development time, and leverages existing web development talent that doesn't depend on platform specific languages. Despite these advantages, the newness of hybrid apps raises new security challenges associated with integrating code designed for a web browser with features native to a mobile device. This paper explores these security concerns and defines three forms of attack that can specifically target and exploit hybrid apps connected to web services. Contributions of the paper include a high level process for discovering hybrid app attacks and vulnerabilities, definitions of emerging hybrid attack vectors, and a testbed platform for analyzing vulnerabilities. As an evaluation, hybrid attacks are analyzed in the testbed showing that it provides insight into vulnerabilities and helps assess risk.

show abstract

“…Our sopIFL and aimIFL attacks are related to mobile browser security. Related works have studied the threats to Android WebView [35], [23], [37], [46], the security risks in HTML5-based mobile libraries [28] and apps [32], and unauthorized origin crossing in several popular Android and iOS apps [43]. Differently, our focus is file leaks via vulnerable browser components.…”

Section: Related Workmentioning

confidence: 99%

Cross-Platform Analysis of Indirect File Leaks in Android and iOS Applications

Wu,

Chang

2015

Preprint

View full text Add to dashboard Cite

Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile systems, notably Android and iOS, use sandboxes to isolate apps' file zones from one another. However, we show in this paper that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, we devise new indirect file leak (IFL) attacks that exploit browser interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can affect both Android and iOS. Moreover, our IFL methods allow an adversary to launch the attacks remotely, without implanting malicious apps in victim's smartphones. We finally compare the impacts of four different types of IFL attacks on Android and iOS, and propose several mitigation methods.

show abstract

Reliable Ad Hoc Smartphone Application Creation for End Users

Cited by 3 publications

References 0 publications

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services

Cross-Platform Analysis of Indirect File Leaks in Android and iOS Applications

Contact Info

Product

Resources

About