Bifocals: Analyzing WebView Vulnerabilities in Android Applications
作者: Erika Chin , David Wagner
DOI: 10.1007/978-3-319-05149-9_9
关键词:
摘要: WebViews allow Android developers to embed a webpage within an application, seamlessly integrating native application code with HTML and JavaScript web content. While this rich interaction simplifies developer support for multiple platforms, it exposes applications attack. In paper, we explore two WebView vulnerabilities: excess authorization, where malicious can invoke code, file-based cross-zone scripting, which device's file system attacker. We build tool, Bifocals, detect these vulnerabilities characterize the prevalence of vulnerable code. We found $$67$$ 67 WebView-related ( $$11\,\%$$ 11 % containing WebViews). Based on our findings, suggest modification security policies that would protect over $$60\,\%$$ 60 little burden developers.
springer.com
core.ac.uk
berkeley.edu
acm.org 参考文章(20)
Damien Octeau, William Enck, Patrick McDaniel, Swarat Chaudhuri, A study of android application security usenix security symposium. pp. 21- 21 ,(2011)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Eric A. Brewer, Alexander Aiken, David A. Wagner, Jeffrey S. Foster, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. network and distributed system security symposium. ,(2000)
Alexander Moshchuk, Adrienne Porter Felt, Helen J. Wang, Erika Chin, Steven Hanna, Permission re-delegation: attacks and defenses usenix security symposium. pp. 22- 22 ,(2011)
Leonid Batyuk, Markus Herpich, Seyit Ahmet Camtepe, Karsten Raddatz, Aubrey-Derrick Schmidt, Sahin Albayrak, Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications international conference on malicious and unwanted software. pp. 66- 72 ,(2011) , 10.1109/MALWARE.2011.6112328
Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing inter-application communication in Android Proceedings of the 9th international conference on Mobile systems, applications, and services - MobiSys '11. pp. 239- 252 ,(2011) , 10.1145/1999995.2000018
Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna, You are what you include Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12. pp. 736- 747 ,(2012) , 10.1145/2382196.2382274
Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner, Android permissions demystified Proceedings of the 18th ACM conference on Computer and communications security - CCS '11. pp. 627- 638 ,(2011) , 10.1145/2046707.2046779
Paul Pearce, Adrienne Porter Felt, Gabriel Nunez, David Wagner, AdDroid: privilege separation for applications and advertisers in Android computer and communications security. pp. 71- 72 ,(2012) , 10.1145/2414456.2414498
A.-D. Schmidt, R. Bye, H.-G. Schmidt, J. Clausen, O. Kiraz, K. A. Yuksel, S. A. Camtepe, S. Albayrak, Static Analysis of Executables for Collaborative Malware Detection on Android international conference on communications. pp. 631- 635 ,(2009) , 10.1109/ICC.2009.5199486