BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews
This addresses security risks for mobile app users and developers by systematically evaluating vulnerabilities in hybrid applications, though it is incremental as it builds on existing static analysis techniques.
The paper tackled the problem of code injection attacks in mobile Webviews by developing BabelView, a static information flow analysis approach, and found 2,677 vulnerabilities in 1,663 apps out of 11,648 analyzed, with vulnerable apps having over 835 million installations.
A Webview embeds a full-fledged browser in a mobile application and allows the application to expose a custom interface to JavaScript code. This is a popular technique to build so-called hybrid applications, but it circumvents the usual security model of the browser: any malicious JavaScript code injected into the Webview gains access to the interface and can use it to manipulate the device or exfiltrate sensitive data. In this paper, we present an approach to systematically evaluate the possible impact of code injection attacks against Webviews using static information flow analysis. Our key idea is that we can make reasoning about JavaScript semantics unnecessary by instrumenting the application with a model of possible attacker behavior -- the BabelView. We evaluate our approach on 11,648 apps from various Android marketplaces, finding 2,677 vulnerabilities in 1,663 apps. Taken together, the apps reported as vulnerable have over 835 million installations worldwide. We manually validated a random sample of 66 apps and estimate that our fully automated analysis achieves a precision of 90% at a recall of 66%.