research-article

On the Usability (In)Security of In-App Browsing Interfaces in Mobile Apps

Author:

Zicheng ZhangAuthors Info & Claims

RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

Pages 386 - 398

https://doi.org/10.1145/3471621.3471625

Published: 07 October 2021 Publication History

Abstract

Due to the frequent encountering of web URLs in various application scenarios (e.g., chatting and email reading), many mobile apps build their in-app browsing interfaces (IABIs) to provide a seamless user experience. Although this achieves user-friendliness by avoiding the constant switching between the subject app and the system built-in browser apps, we find that IABIs, if not well designed or customized, could result in usability security risks.

In this paper, we conduct the first empirical study on the usability (in)security of in-app browsing interfaces in both Android and iOS apps. Specifically, we collect a dataset of 25 high-profile mobile apps from five common application categories that contain IABIs, including Facebook and Gmail, and perform a systematic analysis (not end-user study though) that comprises eight carefully designed security tests and covers the entire course of opening, displaying, and navigating an in-app web page. During this process, we obtain three major security findings: (1) about 30% of the tested apps fail to provide enough URL information for users to make informed decisions on opening an URL; (2) nearly all custom IABIs have various problems in providing sufficient indicators to faithfully display an in-app page to users, whereas ten IABIs that are based on Chrome Custom Tabs and SFSafariViewController are generally secure; and (3) only a few IABIs give warnings to remind users of the risk of inputting passwords during navigating a (potentially phishing) login page.

Most developers had acknowledged our findings but their willingness and readiness to fix usability issues are rather low compared to fixing technical vulnerabilities, which is a puzzle in usability security research. Nevertheless, to help mitigate risky IABIs and guide future designs, we propose a set of secure IABI design principles.

References

[1]

Access in 2021. WebView. http://developer.android.com/reference/android/webkit/WebView.html.

[2]

Accessed in 2021. Chrome Custom Tabs. https://developer.chrome.com/docs/multidevice/android/customtabs/.

[3]

Accessed in 2021. Chrome Custom Tabs Implementation Guide. https://developer.chrome.com/docs/android/custom-tabs/integration-guide/.

[4]

Accessed in 2021. SFSafariViewController. https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller.

[5]

Accessed in 2021. UIWebView. https://developer.apple.com/documentation/uikit/uiwebview.

[6]

Accessed in 2021. W3C: Web Security Context: User Interface Guidelines. http://www.w3.org/TR/wsc-ui/.

[7]

Accessed in 2021. WebViewClient.onPageFinished. https://developer.android.com/reference/android/webkit/WebViewClient#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).

[8]

Accessed in 2021. WebViewClient.onReceivedSslError. https://developer.android.com/reference/android/webkit/WebViewClient#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).

[9]

Chaitrali Amrutkar, Patrick Traynor, and Paul Oorschot. 2013. An Empirical Evaluation of Security Indicators in Mobile Web Browsers. In IEEE Trans. on Mobile Computing.

[10]

Chaitrali Amrutkar, Patrick Traynor, and Paul C Van Oorschot. 2012. Measuring SSL indicators on mobile browsers: Extended life, or end of the road?. In International Conference on Information Security.

Digital Library

[11]

Chaitrali Amrutkar, Patrick Traynor, and Paul C. van Oorschot. 2015. An Empirical Evaluation of Security Indicators in Mobile Web Browsers. IEEE Transactions on Mobile Computing(2015).

Digital Library

[12]

Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proc. ACM CCS.

Digital Library

[13]

Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. 2012. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. In Proceedings of the 2012 ACM Conference on Computer and Communications Security.

Digital Library

[14]

Martin Georgiev, Suman Jana, and Vitaly Shmatikov. 2014. Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks. In Proc. ISOC NDSS.

[15]

Sungho Lee, Julian Dolby, and Sukyoung Ryu. 2016. HybriDroid: Static analysis framework for Android hybrid applications. In 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

Digital Library

[16]

Tongxin Li, Xueqiang Wang, Mingming Zha, Kai Chen, XiaoFeng Wang, Luyi Xing, Xiaolong Bai, Nan Zhang, and Xinhui Han. 2017. Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews. In Proc. ACM CCS.

Digital Library

[17]

Tongxin Li, Xueqiang Wang, Mingming Zha, Kai Chen, XiaoFeng Wang, Luyi Xing, Xiaolong Bai, Nan Zhang, and Xinhui Han. 2017. Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[18]

Meng Luo, Oleksii Starov, Nima Honarmand, and Nick Nikiforakis. 2017. Hindsight: Understanding the Evolution of UI Vulnerabilities in Mobile Browsers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[19]

Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. 2011. Attacks on WebView in the Android system. In Proc. ACM ACSAC.

Digital Library

[20]

Tongbo Luo, Xing Jin, Ajai Ananthanarayanan, and Wenliang Du. 2013. Touchjacking Attacks on Web in Android, iOS, and Windows Phone. In Foundations and Practice of Security.

[21]

Claudio Rizzo, Lorenzo Cavallaro, and Johannes Kinder. 2018. BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews. In Research in Attacks, Intrusions, and Defenses.

[22]

Julian Sexton, Andrey Chudnov, and David A. Naumann. 2017. Spartan Jester: End-to-End Information Flow Control for Hybrid Android Applications. In 2017 IEEE Security and Privacy Workshops (SPW).

[23]

David Sounthiraraj, Justin Sahs, Garrett Greenwood, Zhiqiang Lin, and Latifur Khan. 2014. SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps. In Proc. ISOC NDSS.

[24]

Thomas Steiner. 2018. What is in a Web View? An Analysis of Progressive Web App Features When the Means of Web Access is not a Web Browser. In Proc. ACM WWW.

[25]

Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proc. ACM CCS.

Digital Library

[26]

Daoyuan Wu and Rocky K. C. Chang. 2014. Analyzing Android Browser Apps for file:// Vulnerabilities. In Proc. Springer Information Security Conference (ISC).

[27]

Daoyuan Wu and Rocky K. C. Chang. 2015. Indirect File Leaks in Mobile Applications. In Proc. IEEE Mobile Security Technologies (MoST).

[28]

Daoyuan Wu, Debin Gao, Robert H. Deng, and Rocky K. C. Chang. 2021. When Program Analysis Meets Bytecode Search: Targeted and Efficient Inter-procedural Analysis of Modern Android Apps in BackDroid. In Proc. IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[29]

Min Wu, Robert C. Miller, and Simson L. Garfinkel. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM.

Digital Library

[30]

Guangliang Yang, Jeff Huang, and Guofei Gu. 2019. Iframes/Popups Are Dangerous in Mobile WebView: Studying and Mitigating Differential Context Vulnerabilities. In 28th USENIX Security Symposium.

Cited By

Choi YLee WHur JChua TNgo CKa-Wei Lee RKumar RLauw H(2024)PhishinWebView: Analysis of Anti-Phishing Entities in Mobile Apps with WebView Targeted PhishingProceedings of the ACM Web Conference 202410.1145/3589334.3645708(1923-1932)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645708

Recommendations

Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Supporting visual security cues for WebView-based Android apps
SAC '13: Proceedings of the 28th Annual ACM Symposium on Applied Computing

One of the most popular and powerful tools to develop Android apps is WebView, through which app developers can implement a functionally limited but versatile browser inside an app. However, unlike the traditional web browsers that support various ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

October 2021

468 pages

ISBN:9781450390583

DOI:10.1145/3471621

Program Chairs:
Leyla Bilge,
Tudor Dumitras

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Singapore National Research Foundation under the National Satellite of Excellence in Mobile Systems Security and Cloud Security program

Conference

RAID '21

RAID '21: 24th International Symposium on Research in Attacks, Intrusions and Defenses

October 6 - 8, 2021

San Sebastian, Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
281
Total Downloads

Downloads (Last 12 months)95
Downloads (Last 6 weeks)3

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Choi YLee WHur JChua TNgo CKa-Wei Lee RKumar RLauw H(2024)PhishinWebView: Analysis of Anti-Phishing Entities in Mobile Apps with WebView Targeted PhishingProceedings of the ACM Web Conference 202410.1145/3589334.3645708(1923-1932)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645708

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents