Supplementary Event-Listener Injection Attack in Smart Phones

• S. Fouzul Hidhaya,
• Angelina Geetha,
• B. Nandha Kumar,
• Loganathan Venkat Sravanth,
• A. Habeeb,

Vol. 9, No. 10, October 30, 2015
10.3837/tiis.2015.10.024, Download Paper (Free):

• android security
• WebView
• Embedded browser
• Smart Phone Security
• Malicious Attacks
• Java Script Injection

Abstract

WebView is a vital component in smartphone platforms like Android, Windows and iOS that enables smartphone applications (apps) to embed a simple yet powerful web browser inside them. WebView not only provides the same functionalities as web browser, it, more importantly, enables a rich interaction between apps and webpages loaded inside the WebView. However, the design and the features of WebView lays path to tamper the sandbox protection mechanism implemented by browsers. As a consequence, malicious attacks can be launched either against the apps or by the apps through the exploitation of WebView APIs. This paper presents a critical attack called Supplementary Event-Listener Injection (SEI) attack which adds auxiliary event listeners, for executing malicious activities, on the HTML elements in the webpage loaded by the WebView via JavaScript Injection. This paper also proposes an automated static analysis system for analyzing WebView embedded apps to classify the kind of vulnerability possessed by them and a solution for the mitigation of the attack.

Statistics

Cite this article