Study of Mobile Web App Security: Findings and Recommendations
Explore the findings of a large-scale study on mobile web app security conducted by Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, and Giovanni Vigna. The study reveals vulnerabilities in hundreds of thousands of mobile apps, emphasizing the importance of securing WebView elements and restricting content loading to enhance app security.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna
Hundreds of thousands of vulnerable apps
A Large-Scale Study of Mobile Web App Security
A mobile web app is an app that embeds a fully functional web browser as a UI element.
A Large-Scale Study of Mobile Web App Security
1,172,610 Android apps
998,286 w/ WebViews
A Large-Scale Study of Mobile Web App Security
1. Loading untrusted web content 2. Leaking URLs to foreign apps 3. Exposing state changing navigation to foreign apps
1. Loading untrusted web content 2. Leaking URLs to foreign apps 3. Exposing state changing navigation to foreign apps
You should restrict the web-pages that can load inside your WebView with a whitelist. - Facebook
only loading content from trusted sources into WebView will help protect users. - Adrian Ludwig, Google
Goal: Find apps that load untrusted content in WebViews
// In app code myWebView.loadUrl( foo.com );
<!-- In HTML --> <a href= foo.com >click!</a>
<!-- More HTML --> <iframe src= foo.com />
// In JavaScript window.location = foo.com ;
publicboolean shouldOverrideUrlLoading( WebView view, String url){ // False -> Load URL in WebView // True -> Prevent the URL load }
publicboolean shouldOverrideUrlLoading( WebView view, String url){ String host = newURL(url).getHost(); if(host.equals( stanford.edu )) return false; log( Overrode URL: + url); return true; }
publicboolean shouldOverrideUrlLoading( WebView view, String url){ String host = newURL(url).getHost(); if(host.equals( stanford.edu )) return false; log( Overrode URL: + url); return true; }
publicboolean shouldOverrideUrlLoading( WebView view, String url){ String host = newURL(url).getHost(); if(host.equals( stanford.edu )) return false; log( Overrode URL: + url); return true; }
publicvoid onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){ // handler.cancel() -> cancel the load // handler.proceed() -> ignore the error }
publicvoid onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){ handler.proceed(); }
publicvoid onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){ handler.proceed(); }
Vulnerability % Relevant % Vulnerable Unsafe Nav 15 34 HTTP 40 56 Unsafe HTTPS 27 29
Libraries 29% unsafe nav
Libraries 51% HTTP 29% unsafe nav
Libraries 51% HTTP 53% unsafe HTTPS 29% unsafe nav
Takeaways Apps must not load untrusted content into WebViews
Takeaways Apps must not load untrusted content into WebViews Able to identify violating apps using static analysis
Takeaways Apps must not load untrusted content into WebViews Able to identify violating apps using static analysis Vulnerabilities are present in the entire app ecosystem
