Access control to prevent attacks exploiting vulnerabilities of WebView in android OS

Jing Yu; Toshihiro Yamauchi

doi:10.1109/HPCC.and.EUC.2013.229

Access control to prevent attacks exploiting vulnerabilities of WebView in android OS

Jing Yu, Toshihiro Yamauchi

Graduate School of Natural Science and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

12 Citations (Scopus)

Abstract

Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.

Original language	English
Title of host publication	Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013
Publisher	IEEE Computer Society
Pages	1628-1633
Number of pages	6
ISBN (Print)	9780769550886
DOIs	https://doi.org/10.1109/HPCC.and.EUC.2013.229
Publication status	Published - Jan 1 2014
Event	15th IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 11th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, EUC 2013 - Zhangjiajie, Hunan, China Duration: Nov 13 2013 → Nov 15 2013

Publication series

Name	Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013

Other

Other	15th IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 11th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, EUC 2013
Country	China
City	Zhangjiajie, Hunan
Period	11/13/13 → 11/15/13

Fingerprint

ASJC Scopus subject areas

Software

Cite this

Yu, J., & Yamauchi, T. (2014). Access control to prevent attacks exploiting vulnerabilities of WebView in android OS. In Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013 (pp. 1628-1633). [6832111] (Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013). IEEE Computer Society. https://doi.org/10.1109/HPCC.and.EUC.2013.229

Access control to prevent attacks exploiting vulnerabilities of WebView in android OS. / Yu, Jing; Yamauchi, Toshihiro.

Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013. IEEE Computer Society, 2014. p. 1628-1633 6832111 (Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Yu, J & Yamauchi, T 2014, Access control to prevent attacks exploiting vulnerabilities of WebView in android OS. in Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013., 6832111, Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013, IEEE Computer Society, pp. 1628-1633, 15th IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 11th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, EUC 2013, Zhangjiajie, Hunan, China, 11/13/13. https://doi.org/10.1109/HPCC.and.EUC.2013.229

Yu J, Yamauchi T. Access control to prevent attacks exploiting vulnerabilities of WebView in android OS. In Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013. IEEE Computer Society. 2014. p. 1628-1633. 6832111. (Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013). https://doi.org/10.1109/HPCC.and.EUC.2013.229

Yu, Jing ; Yamauchi, Toshihiro. / Access control to prevent attacks exploiting vulnerabilities of WebView in android OS. Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013. IEEE Computer Society, 2014. pp. 1628-1633 (Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013).

@inproceedings{89b1970de11f48ccace8fdda0f587acf,

title = "Access control to prevent attacks exploiting vulnerabilities of WebView in android OS",

abstract = "Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.",

author = "Jing Yu and Toshihiro Yamauchi",

year = "2014",

month = jan

day = "1",

doi = "10.1109/HPCC.and.EUC.2013.229",

language = "English",

isbn = "9780769550886",

series = "Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013",

publisher = "IEEE Computer Society",

pages = "1628--1633",

booktitle = "Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013",

address = "United States",

note = "15th IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 11th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, EUC 2013 ; Conference date: 13-11-2013 Through 15-11-2013",

}

TY - GEN

T1 - Access control to prevent attacks exploiting vulnerabilities of WebView in android OS

AU - Yu, Jing

AU - Yamauchi, Toshihiro

PY - 2014/1/1

Y1 - 2014/1/1

N2 - Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.

AB - Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.

UR - http://www.scopus.com/inward/record.url?scp=84903973683&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84903973683&partnerID=8YFLogxK

U2 - 10.1109/HPCC.and.EUC.2013.229

DO - 10.1109/HPCC.and.EUC.2013.229

M3 - Conference contribution

AN - SCOPUS:84903973683

SN - 9780769550886

T3 - Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013

SP - 1628

EP - 1633

BT - Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013

PB - IEEE Computer Society

T2 - 15th IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 11th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, EUC 2013

Y2 - 13 November 2013 through 15 November 2013

ER -

Access to Document

10.1109/HPCC.and.EUC.2013.229