Automated Security Testing of Webview Interfaces
Sponsored by a Google Faculty Research Award.
Many Android applications use an embedded webview, essentially a bare bones web browser, and expose an interface for JavaScript content in the webview to interact with the app. Since they typically control both the app and the JavaScript code, developers consider these interfaces to be private. However, malicious attackers may manipulate contents loaded through network connections and can thus interact with the interface almost arbitrarily. The goal of this project is to develop methods for assessing the impact of insecure interfaces: while many functions exposed through such interfaces are harmless, some can allow an attacker to obtain or manipulate sensitive information, or even to load additional privilege escalation exploits.
Publications
Claudio Rizzo, Lorenzo Cavallaro, and Johannes Kinder. BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews. In Int. Symp. Research in Attacks, Intrusions, and Defenses (RAID), 2018.
BibTeX PDF
@inproceedings{raid18-babelview, author = {Claudio Rizzo and Lorenzo Cavallaro and Johannes Kinder}, title = {BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews}, booktitle = {Int. Symp. Research in Attacks, Intrusions, and Defenses (RAID)}, year = {2018}, doi = {10.1007/978-3-030-00470-5\_2}, }
Claudio Rizzo, Lorenzo Cavallaro, and Johannes Kinder. BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews. Tech. rep. CoRR:abs/1709.05690, arXiv, 2017.
BibTeX URL
@techreport{babelview-arxiv, author = {Claudio Rizzo and Lorenzo Cavallaro and Johannes Kinder}, title = {BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews}, institution = {arXiv}, number = {CoRR:abs/1709.05690}, year = {2017}, url = {https://arxiv.org/abs/1709.05690}, }