Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS

Author

Jing Yu ; Yamauchi, Takashi

Author_Institution

Grad. Sch. of Natural Sci. & Technol., Okayama Univ., Okayama, Japan

fYear

2013

fDate

13-15 Nov. 2013

Firstpage

1628

Lastpage

1633

Abstract

Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.

Keywords

Android (operating system); Java; Web services; authorisation; operating systems (computers); program diagnostics; Android OS; Android applications; Android device; Java object level; JavaScript code; Web pages; WebView vulnerability; access control; attack prevention; resource access; security sensitive API; static analysis; threat identification; Androids; Assembly; Browsers; Humanoid robots; Java; Smart phones; Web pages;

fLanguage

English

Publisher

ieee

Conference_Titel

High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing (HPCC_EUC), 2013 IEEE 10th International Conference on

Conference_Location

Zhangjiajie

Type

conf

DOI

10.1109/HPCC.and.EUC.2013.229

Filename

6832111