ABSTRACT
As a critical feature for enhancing user experience, cross-app URL invocation has been reported to cause unauthorized execution of app components. Although protection has already been put in place, little has been done to understand the security risks of navigating an app's WebView through an URL, a legitimate need for displaying the app's UI during cross-app interactions. In our research, we found that the current design of such cross-WebView navigation actually opens the door to a cross-app remote infection, allowing a remote adversary to spread malicious web content across different apps' WebView instances and acquire stealthy and persistent control of these apps. This new threat, dubbed Cross-App WebView Infection (XAWI), enables a series of multi-app, colluding attacks never thought before, with significant real world impacts. Particularly, we found that the remote adversary can collectively utilize multiple infected apps' individual capabilities to escalate his privileges on a mobile device or orchestrate a highly realistic remote Phishing attack (e.g., running a malicious script in Chrome to stealthily change Twitter's WebView to fake Twitter's own login UI). We show that the adversary can easily find such attack "building blocks" (popular apps whose WebViews can be redirected by another app) through an automatic fuzz, and discovered about 7.4% of the most popular apps subject to the XAWI attacks, including Facebook, Twitter, Amazon and others. Our study reveals the contention between the demand for convenient cross-WebView communication and the need for security control on the channel, and makes the first step toward building OS-level protection to safeguard this fast-growing technology.
Supplemental Material
- Yousra Aafer, Nan Zhang, Zhongwen Zhang, Xiao Zhang, Kai Chen, XiaoFeng Wang, Xiaoyong Zhou, Wenliang Du, and Michael Grace 2015. Hare hunting in the wild android: A study on the threat of hanging attribute references Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1248--1259.Google Scholar
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices, Vol. 49, 6 (2014), 259--269. Google ScholarDigital Library
- Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna 2015. What the app is that? deception and countermeasures in the android user interface 2015 IEEE Symposium on Security and Privacy. IEEE, 931--948.Google Scholar
- Kai Chen, Tongxin Li, Bin Ma, Peng Wang, XiaoFeng Wang, and Peiyuan Zong. 2017. Filtering for Malice through the Data Ocean: Large-Scale PHA Install Detection at the Communication Service Provider Level International Symposium on Research in Attacks, Intrusions, and Defenses.Google Scholar
- Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou, and Peng Liu. 2015. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale USENIX Security Symposium. 659--674.Google Scholar
- Qi Alfred Chen, Zhiyun Qian, and Z Morley Mao. 2014. Peeking into your app without actually seeing it: UI state inference and novel android attacks 23rd USENIX Security Symposium (USENIX Security 14). 1037--1052.Google Scholar
- Yangyi Chen, Tongxin Li, XiaoFeng Wang, Kai Chen, and Xinhui Han 2015. Perplexed messengers from the cloud: Automated security analysis of push-messaging integrations. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1260--1272. Google ScholarDigital Library
- Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner 2011. Analyzing inter-application communication in Android Proceedings of the 9th international conference on Mobile systems, applications, and services. ACM, 239--252.Google Scholar
- Erika Chin and David Wagner 2013. Bifocals: Analyzing webview vulnerabilities in android applications International Workshop on Information Security Applications. Springer, 138--159.Google Scholar
- Apple Developer. 2017. Support Universal Links. https://developer.apple.com/library/content/documentation/General/Conceptual/AppSearch/UniversalLinks.html. (May 2017).Google Scholar
- Android Developers. 2017. Activity Element. https://developer.android.com/guide/topics/manifest/activity-element.html. (May 2017).Google Scholar
- Android Developers. 2017. Android Debug Bridge. https://developer.android.com/studio/command-line/adb.html. (May 2017).Google Scholar
- Android Developers. 2017. Tasks and Back Stack. https://developer.android.com/guide/components/tasks-and-back-stack.html. (May 2017).Google Scholar
- Android Developers. 2017. UI/Application Exerciser Monkey. http://developer.android.com/tools/help/monkey.html. (May 2017).Google Scholar
- Facebook Developers. 2016. App Links. https://developers.facebook.com/docs/applinks. (November 2016).Google Scholar
- Rachna Dhamija and J Doug Tygar 2005. The battle against phishing: Dynamic security skins Proceedings of the 2005 symposium on Usable privacy and security. ACM, 77--88.Google Scholar
- Alon Even. 2016. How to Grow Your Mobile App Retention. http://www.apptamin.com/blog/grow-app-rentention/. (2016).Google Scholar
- Adrienne Porter Felt and David Wagner 2011. Phishing on mobile devices. na.Google Scholar
- Adrienne Porter Felt, Helen J Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. 2011. Permission Re-Delegation: Attacks and Defenses.. USENIX Security Symposium, Vol. Vol. 6. 12--16.Google Scholar
- Earlence Fernandes, Qi Alfred Chen, Justin Paupore, Georg Essl, J Alex Halderman, Z Morley Mao, and Atul Prakash. 2016. Android UI Deception Revisited: Attacks and Defenses Proceedings of the 20th International Conference on Financial Cryptography and Data Security.Google Scholar
- iBotPeaches. 2017. Apktool. https://ibotpeaches.github.io/Apktool/. (May 2017).Google Scholar
- Yeonjoon Lee, Tongxin Li, Nan Zhang, Soteris Demetriou, Mingming Zha, XiaoFeng Wang, Kai Chen, Xiaoyong Zhou, Xinhui Han, and Michael Grace. 2017. Ghost Installer in the Shadow: Security Analysis of App Installation on Android Dependable Systems and Networks (DSN), 2017 47th Annual IEEE/IFIP International Conference on. IEEE.Google Scholar
- Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang, and Xinhui Han 2014. Mayhem in the push clouds: Understanding and mitigating security hazards in mobile push-messaging services. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 978--989. Google ScholarDigital Library
- Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin 2011. Attacks on WebView in the Android system. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 343--352. Google ScholarDigital Library
- Tongbo Luo, Xing Jin, Ajai Ananthanarayanan, and Wenliang Du 2012. Touchjacking attacks on web in android, ios, and windows phone International Symposium on Foundations and Practice of Security. Springer, 227--243.Google Scholar
- Andre Moulu. 2014. Abusing Samsung KNOX to remotely install a malicious application: story of a half patched vulnerability. https://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html. (November 2014).Google Scholar
- Patrick Mutchler, Adam Doupé, John Mitchell, Chris Kruegel, and Giovanni Vigna 2015. A Large-Scale Study of Mobile Web App Security. In Proceedings of the Mobile Security Technologies Workshop (MoST).Google Scholar
- Marcus Niemietz and Jörg Schwenk 2012. Ui redressing attacks on android devices. Black Hat Abu Dhabi (2012).Google Scholar
- Chuangang Ren, Peng Liu, and Sencun Zhu 2017. WindowGuard: Systematic Protection of GUI Security in Android Proc. of the Annual Symposium on Network and Distributed System Security (NDSS).Google Scholar
- Chuangang Ren, Yulong Zhang, Hui Xue, Tao Wei, and Peng Liu 2015. Towards discovering and understanding task hijacking in android 24th USENIX Security Symposium (USENIX Security 15). 945--959.Google Scholar
- rovo89 2017. Xposed Module Repository. http://repo.xposed.info. (May 2017).Google Scholar
- Hossain Shahriar, Tulin Klintic, Victor Clincy, et almbox. 2015. Mobile Phishing Attacks and Mitigation Techniques. Journal of Information Security Vol. 6, 03 (2015), 206. Google ScholarCross Ref
- Thomas Sommer. 2014. User Retention: Yes, But Which One? http://www.applift.com/blog/user-retention.html. (February 2014).Google Scholar
- Tom Sutcliffe and Adrian Taylor 2015. The Lifetime of Android API Vulnerabilities: Case Study on the JavaScript-to-Java Interface Security Protocols XXIII: 23rd International Workshop, Cambridge, UK, March 31-April 2, 2015, Revised Selected Papers, Vol. Vol. 9379. Springer, 126.Google Scholar
- Symantec 2016. Android ransomware variant uses clickjacking to become device administrator. https://www.symantec.com/connect/blogs/android-ransomware-variant-uses-clickjacking-become-device-administrator. (January 2016).Google Scholar
- Mitsui Bussan Takeshi Terada. 2014. Whitepaper -- Attacking Android browsers via intent scheme URLs. http://www.mbsd.jp/Whitepaper/IntentScheme.pdf. (March 2014).Google Scholar
- Rui Wang, Luyi Xing, XiaoFeng Wang, and Shuo Chen. 2013. Unauthorized origin crossing on mobile platforms: Threats and mitigation Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 635--646.Google Scholar
- Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, Xiaojing Liao, Shi-Min Hu, and Xinhui Han. 2015. Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 31--43.Google ScholarDigital Library
Index Terms
- Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews
Recommendations
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Android: Changing the Mobile Landscape
The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Cross-Compiling Android Applications to iOS and Windows Phone 7
Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
Comments