research-article

Public Access

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems

Authors:

Franklin George,

Somesh JhaAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 652 - 665

https://doi.org/10.1145/3052973.3052998

Published: 02 April 2017 Publication History

Abstract

A majority of today's mobile apps integrate web content of various kinds. Unfortunately, the interactions between app code and web content expose new attack vectors: a malicious app can subvert its embedded web content to steal user secrets; on the other hand, malicious web content can use the privileges of its embedding app to exfiltrate sensitive information such as the user's location and contacts. In this paper, we discuss security weaknesses of the interface between app code and web content through attacks, then introduce defenses that can be deployed without modifying the OS. Our defenses feature WIREframe, a service that securely embeds and renders external web content in Android apps, and in turn, prevents attacks between em- bedded web and host apps. WIREframe fully mediates the interface between app code and embedded web content. Un- like the existing web-embedding mechanisms, WIREframe allows both apps and embedded web content to define simple access policies to protect their own resources. These policies recognize fine-grained security principals, such as origins, and control all interactions between apps and the web. We also introduce WIRE (Web Isolation Rewriting Engine), an offline app rewriting tool that allows app users to inject WIREframe protections into existing apps. Our evaluation, based on 7166 popular apps and 20 specially selected apps, shows these techniques work on complex apps and incur acceptable end-to-end performance overhead.

References

[1]

Android-Apktool. https://ibotpeaches.github.io/Apktool/.

[2]

Android Isolated Service. http://developer.android.com/guide/topics/manifest/service-element.html#isolated.

[3]

Apache Cordova. https://cordova.apache.org.

[4]

A. Bartel, J. Klein, et al. Dexpler: Converting Android Dalvik Bytecode to Jimple for Static Analysis with Soot. Proceedings of the 1st International Workshop on the State Of the Art in Program Analysis, SOAP '12. ACM, 2012.

Digital Library

[5]

E. Bursztein, C. Soman, et al. Sessionjuggler: Secure Web Login from an Untrusted Terminal Using Session Hijacking. In Proceedings of the 21st International Conference on World Wide Web, WWW '15, 321--330. ACM, 2012.

Digital Library

[6]

E. Chin & D. Wagner. Bifocals: Analyzing WebView Vulnerabilities in Android Applications. In Information Security Applications, LNCS, 138--159. Springer International, 2014.

Digital Library

[7]

J. Dean, D. Grove, et al. Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis. ECOOP '95, Berlin, Heidelberg.

Digital Library

[8]

M. Egele, C. Kruegel, et al. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the 2011 Network and Distributed System Security Symposium, NDSS '11, 177--183. 2011.

[9]

M. Georgiev, S. Jana, et al. Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks. 2014.

[10]

M. C. Grace, W. Zhou, et al. Unsafe Exposure Analysis of Mobile In-app Advertisements. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 12, 101--112. ACM, 2012.

Digital Library

[11]

B. Hassanshahi, Y. Jia, et al. Web-to-Application Injection Attacks on Android: Characterization and Detection. In Proceedings of the 2015 European Symposium on Research in Computer Security, ESORICS '15, 577--598. Springer, 2015.

[12]

J. Jeon, K. K. Micinski, et al. Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), 3--14. 2012.

Digital Library

[13]

X. Jin, X. Hu, et al. Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation. In Proceedings of the 2014 ACM Conference on Computer and Communications Security, CCS '14, 66--77. ACM.

Digital Library

[14]

G. A. Kildall. A Unified Approach to Global Program Optimization. In Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL '73, 194--206. ACM, 1973.

Digital Library

[15]

D. Liu & L. P. Cox. VeriUI: Attested Login for Mobile Devices. In Proceedings of the 15th Workshop on Mobile Computing Systems and Applications, 7. ACM, 2014.

Digital Library

[16]

T. Luo, H. Hao, et al. Attacks on WebView in the Android system. In Proceedings of the 2011 Annual Computer Security Applications Conference, 343--352. ACM, 2011.

Digital Library

[17]

P. Mutchler, A. Doupé, et al. A Large-Scale Study of Mobile Web App Security. In Proceedings of the Mobile Security Technologies Workshop (MoST). 2015.

[18]

A. Nadkarni, V. Tendulkar, et al. NativeWrap: Ad Hoc Smartphone Application Creation for End Users. In SPWM 2014, WiSec '14, 13--24. ACM, 2014.

Digital Library

[19]

M. Neugschwandtner, M. Lindorfer, et al. A View to a Kill: WebView Exploitation. In LEET 2013. USENIX, 2013.

[20]

P. Pearce, A. P. Felt, et al. Addroid: Privilege Separation for Applications and Advertisers in Android. In SICCS 2012.

Digital Library

[21]

V. Rastogi, R. Shao, et al. Are these Ads Safe: Detecting Hidden Attacks through the Mobile App-Web Interfaces. In Proceedings of the 2016 Network and Distributed System Security Symposium, NDSS '16. 2016.

[22]

B. Reaves, N. Scaife, et al. Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World. In Proceedings of the 24th USENIX Security Symposium (2015), 17--32. 2015.

Digital Library

[23]

T. Reps, S. Horwitz, et al. Precise Interprocedural Dataflow Analysis via Graph Reachability. In Proceedings of the 22Nd ACM SIGPLAN-SIGACT POPL Symposium, POPL '95, 49--61. ACM, 1995.

Digital Library

[24]

F. Roesner & T. Kohno. Securing Embedded User Interfaces: Android and Beyond. In Proceedings of the 22nd USENIX Security Symposium, Security '13, 97--112. USENIX, 2013.

Digital Library

[25]

M. Shehab & F. Mohsen. Towards enhancing the security of oauth implementations in smart phones. In ICMS 2014, 39--46. IEEE, 2014.

Digital Library

[26]

S. Shekhar, M. Dietz, et al. AdSplit: Separating Smartphone Advertising from Applications. In USENIX Security Symposium, 553--567. 2012.

Digital Library

[27]

S. Son, D. Kim, et al. What Mobile Ads Know About Mobile Users. In NDSS. 2016.

[28]

D. R. Thomas, A. R. Beresford, et al. Security Protocols XXIII: 23rd International Workshop, Cambridge, 2015, 126--138. Springer International, 2015.

Digital Library

[29]

G. S. Tuncay, S. Demetriou, et al. Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android. In Proceedings of the 2016 Conference on Computer and Communications Security, CCS '16, 104--115. ACM, New York, NY, USA, 2016.

Digital Library

[30]

R. Vallée-Rai, P. Co, et al. Soot - a Java Bytecode Optimization Framework. In Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research, CASCON '99. IBM Press, 1999.

Digital Library

[31]

R. Wang, L. Xing, et al. Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 635--646. ACM, 2013.

Digital Library

[32]

L. Xing, X. Bai, et al. Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS. In Proceedings of the 2016 Conference on Computer and Communications Security, 31--43. ACM, 2015.

Digital Library

[33]

X. Zhang, A. Ahlawat, et al. AFrame: Isolating Advertisements from Mobile Applications in Android. In Proceedings of the 2013 Annual Computer Security Applications Conference, ACSAC '13, 9--18. ACM, 2013.

Digital Library

Cited By

Zhang ZZhang LYang GChen YXu JYang M(2024)The Dark Forest: Understanding Security Risks of Cross-Party Delegated Resources in Mobile App-in-App EcosystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.339055319(5434-5448)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3390553
Zhang XZhang Y(2022)Achieving resource-centric access control for web-app interactions on androidHigh-Confidence Computing10.1016/j.hcc.2022.1000732:3(100073)Online publication date: Sep-2022
https://doi.org/10.1016/j.hcc.2022.100073
Zhang XZhang Y(2021)ReACt: A Resource-centric Access Control System for Web-app Interactions on AndroidProceedings of the Web Conference 202110.1145/3442381.3449960(1459-1470)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3449960
Show More Cited By

Index Terms

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems
1. Security and privacy
  1. Software and application security
    1. Domain-specific security and privacy architectures
    2. Web application security
  2. Systems security
    1. Browser security
    2. Operating systems security
      1. Mobile platform security

Recommendations

Rethinking Security of Web-Based System Applications
WWW '15: Proceedings of the 24th International Conference on World Wide Web

Many modern desktop and mobile platforms, including Ubuntu, Google Chrome, Windows, and Firefox OS, support so called Web-based system applications that run outside the Web browser and enjoy direct access to native objects such as files, camera, and ...
Helping developers construct secure mobile applications
A Software Environment for Confining Malicious Android Applications via Resource Virtualization
ICECCS '13: Proceedings of the 2013 18th International Conference on Engineering of Complex Computer Systems

In the Android system, applications (apps) execute on the same platform that manages all system resources, where resource accesses are regulated through a permission-based mechanism. As a result, malicious apps get chances to abuse resources that are ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
1,027
Total Downloads

Downloads (Last 12 months)143
Downloads (Last 6 weeks)18

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang ZZhang LYang GChen YXu JYang M(2024)The Dark Forest: Understanding Security Risks of Cross-Party Delegated Resources in Mobile App-in-App EcosystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.339055319(5434-5448)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3390553
Zhang XZhang Y(2022)Achieving resource-centric access control for web-app interactions on androidHigh-Confidence Computing10.1016/j.hcc.2022.1000732:3(100073)Online publication date: Sep-2022
https://doi.org/10.1016/j.hcc.2022.100073
Zhang XZhang Y(2021)ReACt: A Resource-centric Access Control System for Web-app Interactions on AndroidProceedings of the Web Conference 202110.1145/3442381.3449960(1459-1470)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3449960
Li CWang HWang WHuang C(2021)Privacy Leakage and Protection of InputConnection Interface in AndroidIEEE Transactions on Network and Service Management10.1109/TNSM.2021.307701018:3(3309-3323)Online publication date: Sep-2021
https://doi.org/10.1109/TNSM.2021.3077010
Yang GHuang JGu GHeninger NTraynor P(2019)Iframes/popups are dangerous in mobile webviewProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361406(977-994)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361406
Gocer BBahtiyar S(2019)An Authorization Framework with OAuth for FinTech Servers2019 4th International Conference on Computer Science and Engineering (UBMK)10.1109/UBMK.2019.8907182(536-541)Online publication date: Sep-2019
https://doi.org/10.1109/UBMK.2019.8907182
Zhu XLi JZhou YMa J(2018)AdCapsule: Practical Confinement of Advertisements in Android ApplicationsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.2814999(1-1)Online publication date: 2018
https://doi.org/10.1109/TDSC.2018.2814999
Yang GHuang JGu GMendoza A(2018)Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications2018 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2018.00043(742-755)Online publication date: May-2018
https://doi.org/10.1109/SP.2018.00043
Huang JSchranz OBugiel SBackes MThuraisingham BEvans DMalkin TXu D(2017)The ART of App CompartmentalizationProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3134064(1037-1049)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3134064

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents