• KSII Transactions on Internet and Information Systems
    Monthly Online Journal (eISSN: 1976-7277)

Supplementary Event-Listener Injection Attack in Smart Phones


Abstract

WebView is a vital component in smartphone platforms like Android, Windows and iOS that enables smartphone applications (apps) to embed a simple yet powerful web browser inside them. WebView not only provides the same functionalities as web browser, it, more importantly, enables a rich interaction between apps and webpages loaded inside the WebView. However, the design and the features of WebView lays path to tamper the sandbox protection mechanism implemented by browsers. As a consequence, malicious attacks can be launched either against the apps or by the apps through the exploitation of WebView APIs. This paper presents a critical attack called Supplementary Event-Listener Injection (SEI) attack which adds auxiliary event listeners, for executing malicious activities, on the HTML elements in the webpage loaded by the WebView via JavaScript Injection. This paper also proposes an automated static analysis system for analyzing WebView embedded apps to classify the kind of vulnerability possessed by them and a solution for the mitigation of the attack.


Statistics

Show / Hide Statistics

Statistics (Cumulative Counts from December 1st, 2015)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article

[IEEE Style]
S. F. Hidhaya, A. Geetha, B. N. Kumar, L. V. Sravanth, A. Habeeb, "Supplementary Event-Listener Injection Attack in Smart Phones," KSII Transactions on Internet and Information Systems, vol. 9, no. 10, pp. 4191-4203, 2015. DOI: 10.3837/tiis.2015.10.024.

[ACM Style]
S. Fouzul Hidhaya, Angelina Geetha, B. Nandha Kumar, Loganathan Venkat Sravanth, and A. Habeeb. 2015. Supplementary Event-Listener Injection Attack in Smart Phones. KSII Transactions on Internet and Information Systems, 9, 10, (2015), 4191-4203. DOI: 10.3837/tiis.2015.10.024.

[BibTeX Style]
@article{tiis:20927, title="Supplementary Event-Listener Injection Attack in Smart Phones", author="S. Fouzul Hidhaya and Angelina Geetha and B. Nandha Kumar and Loganathan Venkat Sravanth and A. Habeeb and ", journal="KSII Transactions on Internet and Information Systems", DOI={10.3837/tiis.2015.10.024}, volume={9}, number={10}, year="2015", month={October}, pages={4191-4203}}