Android applications that using WebView can load and display web pages. Interaction with web pages allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose an access control on the security-sensitive APIs at the Java object level. The proposed access control uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.
Jing YU
Okayama University
Toshihiro YAMAUCHI
Okayama University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Jing YU, Toshihiro YAMAUCHI, "Access Control to Prevent Malicious JavaScript Code Exploiting Vulnerabilities of WebView in Android OS" in IEICE TRANSACTIONS on Information,
vol. E98-D, no. 4, pp. 807-811, April 2015, doi: 10.1587/transinf.2014ICL0001.
Abstract: Android applications that using WebView can load and display web pages. Interaction with web pages allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose an access control on the security-sensitive APIs at the Java object level. The proposed access control uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2014ICL0001/_p
Copy
@ARTICLE{e98-d_4_807,
author={Jing YU, Toshihiro YAMAUCHI, },
journal={IEICE TRANSACTIONS on Information},
title={Access Control to Prevent Malicious JavaScript Code Exploiting Vulnerabilities of WebView in Android OS},
year={2015},
volume={E98-D},
number={4},
pages={807-811},
abstract={Android applications that using WebView can load and display web pages. Interaction with web pages allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose an access control on the security-sensitive APIs at the Java object level. The proposed access control uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.},
keywords={},
doi={10.1587/transinf.2014ICL0001},
ISSN={1745-1361},
month={April},}
Copy
TY - JOUR
TI - Access Control to Prevent Malicious JavaScript Code Exploiting Vulnerabilities of WebView in Android OS
T2 - IEICE TRANSACTIONS on Information
SP - 807
EP - 811
AU - Jing YU
AU - Toshihiro YAMAUCHI
PY - 2015
DO - 10.1587/transinf.2014ICL0001
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E98-D
IS - 4
JA - IEICE TRANSACTIONS on Information
Y1 - April 2015
AB - Android applications that using WebView can load and display web pages. Interaction with web pages allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose an access control on the security-sensitive APIs at the Java object level. The proposed access control uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.
ER -