Abstract
Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013 |
| Publisher | IEEE Computer Society |
| Pages | 1628-1633 |
| Number of pages | 6 |
| ISBN (Print) | 9780769550886 |
| DOIs | |
| Publication status | Published - 2014 |
| Event | 15th IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 11th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, EUC 2013 - Zhangjiajie, Hunan, China Duration: Nov 13 2013 → Nov 15 2013 |
Other
| Other | 15th IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 11th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, EUC 2013 |
|---|---|
| Country | China |
| City | Zhangjiajie, Hunan |
| Period | 11/13/13 → 11/15/13 |
Fingerprint
ASJC Scopus subject areas
- Software
Cite this
Access control to prevent attacks exploiting vulnerabilities of WebView in android OS. / Yu, Jing; Yamauchi, Toshihiro.
Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013. IEEE Computer Society, 2014. p. 1628-1633 6832111.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - Access control to prevent attacks exploiting vulnerabilities of WebView in android OS
AU - Yu, Jing
AU - Yamauchi, Toshihiro
PY - 2014
Y1 - 2014
N2 - Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.
AB - Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.
UR - http://www.scopus.com/inward/record.url?scp=84903973683&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84903973683&partnerID=8YFLogxK
U2 - 10.1109/HPCC.and.EUC.2013.229
DO - 10.1109/HPCC.and.EUC.2013.229
M3 - Conference contribution
SN - 9780769550886
SP - 1628
EP - 1633
BT - Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013
PB - IEEE Computer Society
ER -