Embed Size (px)
Citation preview
A Large-Scale Study of Mobile Web App Security
Patrick Mutchler, Adam Doupe,
John Mitchell, Chris Kruegel, Giovanni Vigna
The big picture
Hundreds of thousands of vulnerable apps
Definitions
A Large-Scale Study of Mobile Web App Security
A mobile web app is…
… an app that embeds a fully functional web browser as a UI element.
A Large-Scale Study of Mobile Web App Security
1,172,610Android apps
998,286w/ WebViews
A Large-Scale Study of Mobile Web App Security
1. Loading untrusted web content
2. Leaking URLs to foreign apps
3. Exposing state changing navigation to foreign apps
1. Loading untrusted web content
2. Leaking URLs to foreign apps
3. Exposing state changing navigation to foreign apps
“You should restrict the web-pages that can load inside your WebView with a whitelist.”
“…only loading content from trusted sources into WebView will help protect users.”
- Adrian Ludwig, Google
Goal:
Find apps that load untrusted content in WebViews
1. Navigate to untrusted content
// In app codemyWebView.loadUrl(“foo.com”);
// In app codemyWebView.load(“foo.com”);
<!-- In HTML --><a href=“foo.com”>click!</a>
// In app codemyWebView.load(“foo.com”);
<!-- In HTML --><a href=“foo.com”>click!</a>
<!-- More HTML --><iframe src=“foo.com”/>
// In app codemyWebView.loadUrl(“foo.com”);
<!-- In HTML --><a href=“foo.com”>click!</a>
<!-- More HTML --><iframe src=“foo.com”/>
// In JavaScriptwindow.location = “foo.com”;
public boolean shouldOverrideUrlLoading( WebView view, String url){
// False -> Load URL in WebView // True -> Prevent the URL load
}
public boolean shouldOverrideUrlLoading( WebView view, String url){
String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true;}
public boolean shouldOverrideUrlLoading( WebView view, String url){
String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true;}
public boolean shouldOverrideUrlLoading( WebView view, String url){
String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true;}
What does untrusted mean?
2. Load content with HTTP
3. Use HTTPS unsafely
public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){
// handler.cancel() -> cancel the load // handler.proceed() -> ignore the error }
public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){
handler.proceed(); }
public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){
handler.proceed(); }
Results
Vulnerability % Relevant % Vulnerable
Unsafe Nav 15 34
HTTP 40 56
Unsafe HTTPS 27 29
Popularity
Outdated Apps
29% unsafe nav
Libraries
29% unsafe nav
Libraries
51% HTTP
29% unsafe nav
Libraries
51% HTTP
53% unsafe HTTPS
Takeaways
Takeaways
• Apps must not load untrusted content into WebViews
Takeaways
• Apps must not load untrusted content into WebViews
• Able to identify violating apps using static analysis
Takeaways
• Apps must not load untrusted content into WebViews
• Able to identify violating apps using static analysis
• Vulnerabilities are present in the entire app ecosystem
Questions?
