A View To A Kill ! WebView Exploitation ! Ma#hias'Neugschwandtner' - - PowerPoint PPT Presentation

a view to a kill
SMART_READER_LITE
LIVE PREVIEW

A View To A Kill ! WebView Exploitation ! Ma#hias'Neugschwandtner' - - PowerPoint PPT Presentation

Mar 16, 2024 118 likes •258 views

A View To A Kill ! WebView Exploitation ! Ma#hias'Neugschwandtner' Mar2na'Lindorfer' Chris2an'Platzer' ' Interna2onal'Secure'Systems'Lab' Vienna'University'of'Technology' Web - Views ! Consumption of web content shifts to mobile devices

slide-1
SLIDE 1

A View To A Kill!

WebView Exploitation!

Ma#hias'Neugschwandtner' Mar2na'Lindorfer' Chris2an'Platzer' '

Interna2onal'Secure'Systems'Lab' Vienna'University'of'Technology'

slide-2
SLIDE 2

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

Web - Views!

  • Consumption of web content shifts to mobile devices !
  • Typically not through browser but standalone app!

2'

slide-3
SLIDE 3

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

WebView Library!

  • Browser library for mobile devices!
  • Available on all popular Smartphone OS!
  • Allows quick development of web-based apps!

– HTML, JavaScript, CSS! – Also targeted at inexperienced developers! – Third party frameworks (Apache Cordova) require no native code at all! – Updates just require change of web content!

3'

slide-4
SLIDE 4

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

WebView vs. Browser!

  • Provides access to device functionality via

JavaScript!

– Hardware buttons! – Persistent storage! – Contacts! – SMS! – Location! – …!

  • Allows development of more streamlined and

capable apps!

  • No containment of web content (sandbox)!

4'

slide-5
SLIDE 5

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

Threat Scenario" Server Compromise!

2 GET foo.html 1 3 4

Attacker Webserver Victim Malicious Script Data Leak

</>

5'

slide-6
SLIDE 6

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

Threat Scenario" Traffic Compromise!

1 GET foo.html 2 4

Attacker Webserver Victim Data Leak

3

</>

6'

slide-7
SLIDE 7

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

Threat Scenario Comparison!

Server%Compromise% Traffic%Compromise% A1ack%leverage% Large'(all'installa2ons'of'a' single'app'are'affected)' Smaller'(depends'on'number' and'loca2on'of'rogue'AP)' Encryp8on% Server'takes'care'of'encryp2on' Only'possible'with'apps'that'use' plain'text'or'don’t'handle' encryp2on'properly' Feasibility% Server'dependent' Traffic'dependent'

7'

slide-8
SLIDE 8

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

Case Study" “Take Weather”!

  • Social weather-photo sharing

app !

  • Available for iOS and Android!

– 10,000-50,000 installs on Android!

  • Uses plain HTTP!
  • Based on Cordova!

– Cross-platform access to contacts, call log, location (GPS)! – Android: full access to Java!

8'

slide-9
SLIDE 9

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

WebView on Android!

  • Provides JavaScript-Java bridge!

– Expose complete Java objects via"

WebView.setJavascriptEnabled()
 WebView.addJavascriptInterface
 (<object>, <js_object_name>) "

– Use reflection to create objects & invoke methods!

  • Requires signed certificate for HTTPS!

9'

slide-10
SLIDE 10

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

Case Study" “Jiepang”!

  • Chinese “Foursquare” –

location based social app!

  • 100,000-500,000 installs!
  • Permissions to!

– access external storage! – install packages!

  • Uses HTTPS, but!

– overwrites default SSL error handler! – accepts any certificate!

10'

slide-11
SLIDE 11

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

Large Scale Evaluation" WebView Prevalence!

  • 287,512 Android apps submitted to Andrubis!
  • July 2012 to March 2013!
  • WebView usage:!

11'

WebView%related%method%call% Samples% Percentage% loadURL' 166,751'' 55%' setJavaScriptEnabled' 158,042' 58%' addJavaScriptInterface' 87,079% 30%%

slide-12
SLIDE 12

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

Large Scale Evaluation" Traffic Attack Leverage!

Traffic%Type% Samples% Percentage%of%JSKenabled%samples% Unencrypted''HTML''or'JavaScript' 23,048'' 27%' Lax'SSL'handling' 6,208' 7%'

12'

Permissions% Samples% Percentage%of%vulnerable%samples% SMS'(receive,'read,'write,'send)' 3,124' 11%' Installa2on'(write,'install)' 16,726' 60%' Privacy'(contacts,'loca2on)' 21,197' 76%'

slide-13
SLIDE 13

Usenix LEET 2013! 6th Usenix Workshop on Large-Scale Exploits and Emergent Threats!

Mitigation & Conclusion!

  • Use of HTTPS and correct certificate handling!

– Signed certificates! – Certificate pinning! – WebView targeted at inexperienced developers!

  • Android 4.2 introduced @JavascriptInterface

annotation!

– Will take time until 4.2 is run by a majority of the devices! – New annotation only prevents reflection attacks! – Intended functionality is still available!

13'