Loading…
Supplementary Event-Listener Injection Attack in Smart Phones
WebView is a vital component in smartphone platforms like Android, Windows and iOS that enables smartphone applications (apps) to embed a simple yet powerful web browser inside them. WebView not only provides the same functionalities as web browser, it, more importantly, enables a rich interaction b...
Saved in:
| Published in: | KSII transactions on Internet and information systems 2015-10, Vol.9 (10), p.4191 |
|---|---|
| Main Authors: | , , , , |
| Format: | Article |
| Language: | English |
| Subjects: | |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | WebView is a vital component in smartphone platforms like Android, Windows and iOS that enables smartphone applications (apps) to embed a simple yet powerful web browser inside them. WebView not only provides the same functionalities as web browser, it, more importantly, enables a rich interaction between apps and webpages loaded inside the WebView. However, the design and the features of WebView lays path to tamper the sandbox protection mechanism implemented by browsers. As a consequence, malicious attacks can be launched either against the apps or by the apps through the exploitation of WebView APIs. This paper presents a critical attack called Supplementary Event-Listener Injection (SEI) attack which adds auxiliary event listeners, for executing malicious activities, on the HTML elements in the webpage loaded by the WebView via JavaScript Injection. This paper also proposes an automated static analysis system for analyzing WebView embedded apps to classify the kind of vulnerability possessed by them and a solution for the mitigation of the attack. Keywords: Android Security, WebView, Embedded browser, Smart Phone Security, Malicious Attacks, Java Script Injection |
|---|---|
| ISSN: | 1976-7277 1976-7277 |
| DOI: | 10.3837/tiis.2015.10.024 |