Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented By – Nikhil PAwar

Published byAnis Chapman Modified over 6 years ago

Similar presentations

Presentation on theme: "Presented By – Nikhil PAwar"— Presentation transcript:

1 Presented By – Nikhil PAwar
Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android Presented By – Nikhil PAwar

2 Publication and Authors.
ACM Conference on Computer and Communications Security 2016. Güliz Seray Tuncay - UIUC Soteris Demetriou – UIUC Carl A. Gunter - UIUC

3 Hand Raiser. How many of you are familiar with how websites or web apps work? How many are familiar with JavaScript and HTML5? Lastly Android and iPhone Users?

4 Mobile App Technology Stacks.

5 Embedded Browser. Web Container for showing web pages in app context.
85% of the apps in the Google Play store contain at least one embedded browser. Use Cases Displaying web Content Displaying Ads Reuse of web code Hybrid Apps

6 Webview. A Chromeless/Safariless browser window that’s typically configured to run full screen. A View that displays web pages. Earlier packaged with the OS now ships as a separate downloadable system application. UIWebView : iPhone : Apple’s WebKit. WebView : Android : Chromium : Apple’s webkit

7 App – web code interaction.

8 App – web code interaction.

9 BRIDGES???

10 App – web code interaction (Channels).

11 Webview with JavaScript Interfaces.
Register a Java object with a specific WebView instance, mWebView. The WebView API allows inserting Java objects into WebViews using the addJavaScriptInterface() method. JavaScript loaded in the WebView can have access to application’s internal Java code, giving web code the ability to interact more tightly with an app, and in some cases get access to system resources.

12 Webview with JavaScript Event handlers.
The WebView API allows developers to handle the alert, prompt and confirm JavaScript events, by registering the onJsAlert(), onJsPrompt() and onJsConfirm() Java callback methods. Whenever the JavaScript side calls any of these event methods, their respective handler will be called, if it is overridden. The developer is free to implement any logic in these event handlers. Used in some hybrid frameworks to connect the web side to the local side

13 Webview with HTML 5 APIs. The rise of HTML5 has brought in a set of APIs that can give web applications the ability to access device hardware via JavaScript. E.g. Geolocation and getUserMedia, which enable access to GPS and to media devices such as camera and microphone Developer needs to make use of onGeolocationShowPrompt (for geolocation), and onPermissionRequest (for media devices) to grant or deny permission to the requests.

14 prevalence of webview api.

15 Ideal Scenario.

16 Threat Model.

17 Threat Model.

18 Threat Model.

19 Threat Model.

20 Prior Studies Shortcomings.
Limited scope : since they mainly target hybrid apps. Incomplete : since they focus only on protecting permission protected resources (e.g. camera, microphone) Rely on whitelisting policies that always block unknown domains. Ad hoc : since they focus only on a subset of resource access channels.

21 CASE Study : USPS APP. Developer loaded pages from untrusted domains in the browser instead of the WebView Flawed navigation control logic The developer checks if the loaded URL contains “usps.com” rather than checking if the host’s domain name matches “usps.com”

22 CASE STUDY : CVS CAREMARK APP.
Developers registered two different javascript interfaces with the WebView viz. ‘native’ and ‘WebJSInterface’ Native was meant to be used for internal use only, that is by trusted CVS domains while “WebJSInterface” was meant to be used in a more generic context and by untrusted domains But both of these interfaces belong to the same WebView instance.

23 TEST ATTACK on CVS CAREMARK APP.
The attack domain was able to retrieve personal information (like the user’s name, health care ID, address, pharmacy preference, and location). Also was able to execute app functions such as using the camera on the victim device for barcode scanning functionality and retrieving images of user’s prescription drugs.

24 CASE STUDY : JOB SEARCH. Has over 550 lines of code to contain flaws of webview But then the app offers the user the choice of adding web sites as a part of their profile and allowing the user to navigate to these sites! Attack using the JS interface by navigating to test "malicious" website exploiting a vulnerable interface. In this interface, the app offers the device’s unique ID, enabling/disabling Google play.

25 NEED for change. Redirection to malicious websites OR presence of malicious code in iframes on a non alien origin. Lack on access control mechanism on foreign code of unknown origin. Current disorganized and complex nature of interactions between web origins and applications creates confusion for developers. Faulty implementation of navigation control logic or multiple WebViews with different levels of exposure.

26 Enter DRACO. Draco, a fine grained, origin-based access control system for WebViews, with Draconian Policy Language (DPL), which allows app developers to declare policy rules dictating how different components within a WebView should be exposed to different web origins. A Draco Runtime System (DRS), which takes policy rules on system and internal app resources (i.e., JavaScript bridges) as an input from the developer and enforces them dynamically when a resource request is made by a web origin.

27 DPL Grammar.

28 Additional Features. Supports wild cards for origins in DPL, in order to allow creation of rules that can be applied to any origin. DPL also allows app developers to provide a description message for the user. This can be useful in cases the DPL rule governs resources at a very fine-granularity (e.g. at the method level) which might be challenging for the user to understand. A key aspect of the design of DRS is to avoid any modifications in the Android OS to make DRS easier to both deploy and update. In particular, DRS is built on top of the WebView system app on Android.

29 Solutions.

30 Architecture.

31 RUNTIME DSA Unit.

32 POLICY AND PERMISSION PARSING.

33 IN-app RUNTIME.

34 Summary. How many of you are familiar with how websites or web apps work? How many are familiar with JavaScript and HTML5? Lastly Android and iPhone Users?

35 Acknowledgement. Darshan Mhatre Divyansh Bhatnagar

36 References. pdf applications-and-android-native-browser/

37 Thank You.

Download ppt "Presented By – Nikhil PAwar"

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.
Developing downloadable mobile apps using HTML5 and PhoneGap Apache Callback Ron Perry, CTO, Worklight Inc.

Developing downloadable mobile apps using HTML5 and PhoneGap Apache Callback Ron Perry, CTO, Worklight Inc.
UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.

UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.
A problem in IMS Learning Design To promote interoperability, few services Local tool frameworks like LAMS have much richer tool environment –Easy provisioning.

A problem in IMS Learning Design To promote interoperability, few services Local tool frameworks like LAMS have much richer tool environment –Easy provisioning.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
Development of mobile applications using PhoneGap and HTML 5

Development of mobile applications using PhoneGap and HTML 5
Native vs hybrid vs web mobile Application

Native vs hybrid vs web mobile Application
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
By Mihir Joshi Nikhil Dixit Limaye Pallavi Bhide Payal Godse.

By Mihir Joshi Nikhil Dixit Limaye Pallavi Bhide Payal Godse.
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Introduction CIS 136 Building Mobile Apps 1. What is a mobile app? 2  Computer program  Designed for small devices  Smartphones  Tablets  Other handhelds.

Introduction CIS 136 Building Mobile Apps 1. What is a mobile app? 2  Computer program  Designed for small devices  Smartphones  Tablets  Other handhelds.
Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.
Chapter 8 Browsing and Searching the Web. Browsing and Searching the Web FAQs: – What’s a Web page? – What’s a URL? – How does a browser work? – How do.

Chapter 8 Browsing and Searching the Web. Browsing and Searching the Web FAQs: – What’s a Web page? – What’s a URL? – How does a browser work? – How do.

Similar presentations

Ads by Google