Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

Davidson, Drew; Chen, Yaohui; Franklin, George; Lu, Long; Jha, Somesh

doi:10.1145/3052973.3052998

Cited by 11 publications

(8 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…General attacker model: Lastly, it should be emphasized that DROIDCAP currently primarily targets app developers that want to design their apps more defensively by compartmentalizing them or privilege-separating untrusted code. But, like other compartmentalization solutions like [18], [29], [52], [59], [71] our attacker model does not include malicious developers. DROIDCAP by itself cannot prevent malicious or colluding [40], [13] apps, although it prevents unauthorized delegation of capabilities between apps.…”

Section: Discussionmentioning

confidence: 99%

“…The general approach to privilege separation is to execute the library or WebView in a distinct sandbox with different UID and permissions than the host app. AdDroid [52], Ad-Split [59], CompARTist [29], and AFrame [71] implement this approach for ad libs; WIRE [18] privilege-separates WebViews this way; and Layercake [56] supports WebViews and ad libs. In contrast, we leverage in DROIDCAP built-in features for compartmentalizing apps (e.g., process manifest attributes of components) introduce Binder capabilities for efficient, leastprivilege privilege-separation of those compartments.…”

Section: A Android Security Extensionsmentioning

confidence: 99%

“…We argue that this combination of characteristics that retains an ambient authority generally impedes efficiently separating privileges on Android and makes it unnecessarily hard for developers to efficiently create new, least-privileged protection domains and adopting app compartmentalization best-practices. For instance, every component of an app inherits its app's full permission set and also prior works on privilege separation [52], [59], [71], [29], [18] necessarily have to set up new UIDs with separate permissions. There exist some works that refine the authority: for instance, SEAndroid's type enforcement [60] assigns security contexts to processes; different solutions on information flow control (e.g., [45], [46], [70]) assign security labels to processes; few solutions make app components the principal for permission enforcement [64], [57]; and app virtualization [9], [11] can enforce policies perprocess on IPC and syscalls.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

DroidCap: OS Support for Capability-based Permissions in Android

Dawoud¹,

Bugiel²

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

We present DROIDCAP, a retrofitting of Android's central Binder IPC mechanism to change the way how permissions are being represented and managed in the system. In DROIDCAP, permissions are per-process Binder objectcapabilities. DROIDCAP's design removes Android's UID-based ambient authority and allows the delegation of capabilities between processes to create least-privileged protection domains efficiently. With DROIDCAP, we show that object-capabilities as underlying access control model integrates naturally and backward-compatible into Android's stock permission model and application management. Thus, our Binder capabilities provide app developers with a new path to gradually adopting app compartmentalization, which we showcase at two favorite examples from the literature, privilege separated advertisement libraries and least privileged app components. At the heart of our paradigm shift for representing permissions in Android is an extension to Android's Binder IPC mechanism. Binder IPC is the primary IPC channel for communication among all apps and between system services

show abstract

Section: Discussionmentioning

confidence: 99%

Section: A Android Security Extensionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DroidCap: OS Support for Capability-based Permissions in Android

Dawoud¹,

Bugiel²

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Other defense approaches, such as WIREframe [17] and HybridGuard [29], provided policy enforcement in WebView to protect app-web bridges. However, both of them only focused on JavaScript code and yet ignored HTML code.…”

Section: Eoe Countermeasure Discussionmentioning

confidence: 99%

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Yang

Huang

2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-Recently more and more Android apps integrate the embedded browser, known as "WebView", to render web pages and run JavaScript code without leaving these apps. WebView provides a powerful feature that allows event handlers defined in the native context (i.e., Java in Android) to handle web events that occur in WebView. However, as shown in prior work, this feature suffers from remote attacks, which we generalize as EventOriented Exploit (EOE) in this paper, such that adversaries may remotely access local critical functionalities through event handlers in WebView without any permission or authentication.In this paper, we propose a novel approach, EOEDroid, which can automatically vet event handlers in a given hybrid app using selective symbolic execution and static analysis. If a vulnerability is found, EOEDroid also automatically generates exploit code to help developers and analysts verify the vulnerability. To support exploit code generation, we also systematically study web events, event handlers and their trigger constraints.We evaluated our approach on 3,652 most popular apps. The result showed that our approach found 97 total vulnerabilities in 58 apps, including 2 cross-frame DOM manipulation, 53 phishing, 30 sensitive information leakage, 1 local resources access, and 11 Intent abuse vulnerabilities. We also found a potential backdoor in a high profile app that could be used to steal users' sensitive information, such as IMEI. Even though developers attempted to close it, EOEDroid found that adversaries were still able to exploit it by triggering two events together and feeding event handlers with well designed input.

show abstract

“…However, if users need to keep a lot of confidential information, security issues can arise and network overhead can increase. Many research works are being proposed in [1], [2], [3] and [4] which provide a user authentication protocol through session key establishment for the user anonymity in a DCNs. For those attacks that do not protect the secret session key of an attacker, an attacker can falsify the service provider by forging a legal session key.…”

Section: Introductionmentioning

confidence: 99%

A Novel Authentication Mechanism to Prevent Unauthorized Service Access for Mobile Device in Distributed Network

Pavani¹

2018

Int. J. Interact. Mob. Technol.

View full text Add to dashboard Cite

The growth of distributed computer networks (DCN) is simple for the user to share information and computing capabilities with the host. User identification is an essential access control mechanism for the client-server networking architecture. The perception of single sign-on allows a legitimate user to access a different service provider on a DCN using a single session key. Recently, several user identification techniques being proposed for DCN. Unfortunately, the existing proposals cannot maintain user anonymity when the majority of probable attacks. In addition, the further time synchronization mechanism they use can result in widespread overhead costs. To overcome these shortcomings, we propose a novel authentication mechanism to prevent unauthorized service access for a mobile device in distributed networks. The mechanism implements methods to generate securely encrypted keys using RSA algorithm to validate the authentication of user login id and password. Later, it implements a secure session key generation using DH algorithm which allows accessing the different services without repeating the authentication mechanism. An experimental evaluation was performed to measure execution time overhead for the registration process, an authentication process, session key generation process and Service Request Performance. The comparison results with existing authentication mechanism show an improvisation in all the measures.

show abstract

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

Cited by 11 publications

References 25 publications

DroidCap: OS Support for Capability-based Permissions in Android

DroidCap: OS Support for Capability-based Permissions in Android

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

A Novel Authentication Mechanism to Prevent Unauthorized Service Access for Mobile Device in Distributed Network

Contact Info

Product

Resources

About