2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

Slides:

Advertisements

Similar presentations

Code Injection Attacks on HTML5-based Mobile Apps

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Syracuse University, New York, USA

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Smartphone Apps Development Team Weiqing Li Lijun Zhu Man Li.

An Evaluation of the Google Chrome Extension Security Architecture

Team Members: Brad Stancel,

Delivering the multiagent technology to end-users through the web D. Mitrović 1, M. Ivanović 1, C. Bădică 2 1 University of Novi Sad, Serbia 2 University.

A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna.

MSc. Publishing on WWW JavaScript. What is JavaScript? A scripting language devised by Netscape Adds functionality to web pages by: Embedding code into.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Security of Mobile Applications Vitaly Shmatikov CS 6431.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Development of mobile applications using PhoneGap and HTML 5

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Norman SecureSurf Protect your users when surfing the Internet.

Understanding SharePoint 2013 Add-In Security Vulnerabilities

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,

CS378 - Mobile Computing Web - WebView and Web Services.

Prevent Cross-Site Scripting (XSS) attack

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.

Towards a unified Cyberaide architecture Fugang Wang May 29, 2009.

User Interface Toolkit Mechanisms For Securing Interface Elements Franziska Roesner, James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

1 Mail Saurus Reference:“Usable Encryption Enabled by AJAX” J.F. Ryan; B.L. Reid; Networking and Services, ICNS '06. Digital Object Identifier /ICNS

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Android Security Extensions. Android Security Model Main objective is simplicity Users should not be bothered Does the user care? Most do not care…until.

SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.

I STILL KNOW WHAT YOU VISITED LAST SUMMER User Interaction And Side Channel Attacks On Browser History Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman.

Webview and Web services. Web Apps You can make your web content available to users in two ways in a traditional web browser in an Android application,

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.

When Good Standards Go Bad IETF 83 | March 25, 2012 Chris Weber, Casaba Security.

Introduction to Applets Chapter 21. Applets An applet is a Java application that is intended to be invoked and executed through a Web browser. Click Here.

Web APIs By Behrooz and Corey mins... Punch It!! We will give a brief overview of the following topics: WebView WebSettings WebViewClient WebChromeClient.

No Escape From Reality: Security and Privacy of Augmented Reality Browsers WWW '15.

1 Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks Ben Smith Laurie Williams Andrew Austin North Carolina.

Monitoring Health of Remote Computers Presenter: Win Worrall.

 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.

Test Automation For Web-Based Applications Portnov Computer School Presenter: Ellie Skobel.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Martin Kruliš by Martin Kruliš (v1.1)1.

Mobilizing Your SAS® Business Analytic Reports Falko Schulz Sr. Systems Engineer SAS Australia & New Zealand.

WebView and JavaScript

What mobile ads know about mobile users

Presented By – Nikhil PAwar

World Wide Web policy.

Web App vs Mobile App.

Target Fragmentation in Android Apps

Analyzing WebView Vulnerabilities in Android Applications

Top-Rated AngularJs Development Company in India

Protecting Browsers from Extension Vulnerabilities

Presentation transcript:

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011

Agenda  Introduction  WebView  Threat Models  Attacks from Web Pages  Attack from Malicious Apps  Case Studies  Conclusion 2011/12/20 2

Introduction  WebView - enabling smartphone and tablet (both in Android & iOS) apps to embed a simple but powerful browser inside them WebView  Two Web's security infrastructure are weakened  Trusted Computing Base (TCB) at the client side Trusted Computing Base (TCB)  Sandbox protection implemented by browsers 2011/12/20 3

Introduction  Two objectives of Sandbox:  Same-Origin Policy(SOP) Same-Origin Policy(SOP)  Isolate web pages from the system and isolate the web pages of one origin from those of another 2011/12/20 4

WebView(1/4)  WebView is a subclass of View, and it is used to display web pages  It enables apps to interact with the web content through its APIs  From apps to web pages  From web pages to apps  three types of interactions  Event monitoring  Invoke Java from JavaScript  Invoke JavaScript from Java 2011/12/20 5

WebView(2/4)  Event monitoring 2011/12/20 6

WebView(3/4)  Invoke Java from JavaScript 2011/12/20 7

WebView(4/4)  Invoke JavaScript from Java 2011/12/20 8

Threat Models  Attacks from Malicious Web Pages 2011/12/20 9

Threat Models  Attacks from Malicious Apps 2011/12/20 10

Attacks from Web Pages(1/3)  Through holes on the sandbox  all pages loaded in the WebView can call the same interface  DroidGap DroidGap  Still need permission 2011/12/20 11

Attacks from Web Pages(2/3)  Through Frame Confusion 2011/12/20 12 Public class CameraLauncher{ public void failPicture(String paramString){

Attacks from Web Pages(3/3)  Through Frame Confusion 2011/12/20 13

Attack from Malicious Apps(1/3)  JavaScript Injection  Event Sniffing and Hijacking 2011/12/20 14

Attack from Malicious Apps(2/3)  JavaScript Injection  Android app can inject arbitrary JavaScript code into the pages loaded by the WebView component.  Extracting Information From WebView 2011/12/20 15

Attack from Malicious Apps(3/3)  Event Sniffing and Hijacking  WebView exposes an umber of hooks to Android apps, allowing them to intercept events, and potentially change the consequences of events.  redirct URL 2011/12/20 16

Case Studies  The goal is not to look for malicious or vulnerable apps, but instead to study how Android apps use WebView.  Usage of WebViewUsage of WebView  Usage of the WebView Hooks Usage of the WebView Hooks  Usage of addJavascriptInterface Usage of addJavascriptInterface  Dex2jarDex2jar 2011/12/20 17

Conclusion  In our on-going work, we are developing solutions to secure WebView  The goal is to defend against the attacks on WebView by building desirable security features in WebView. 2011/12/20 18

2011/12/20 19

2011/12/20 20

2011/12/20 21