Home
Call For Papers
Submission
Author
Registration
Publications
About
Contact Us

  Cross Site Request Forgery on Android WebView  
  Authors : Bhavani A B
  Cite as:

 

Android has always been about connectivity and providing great browsing experience. Web-based content can be embedded into the Android application using WebView. It is a User Interface component that displays webpages. It can either display a remote webpage or can also load static HTML data. This encompasses the functionality of a browser that can be integrated to application. WebView provides a number of APIs which enables the applications to interact with the web content inside WebView. In the current paper, Cross site request forgery or XSRF attack specific to android WebView is investigated. In XSRF attack, the trusts of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. When the user is logged into the trusted site through the WebView, the site authenticates the WebView and not application. The application can launch attacks on the behalf of user with the APIs of Webview, exploiting user’s credentials resulting in Cross site request forgery. Attacks can also be launched by setting cookies as HTTP headers and making malicious HTTP Request on behalf of victim.

 

Published In : IJCSN Journal Volume 3, Issue 3

Date of Publication : 01 June 2014

Pages : 119 - 124

Figures :04

Tables : --

Publication Link : Cross Site Request Forgery on Android WebView

 

 

 

Bhavani A B : received M.Tech degree in VLSI and Embedded Systems, from International Institute of Information Technology, Hyderabad, India in the year 2007.She has worked in the Mobile industry in areas related to Embedded Systems, Mobile technologies, WebKit browser development, Linux Kernel programming, BREW MP and Android. She has the experience in handling the responsibility of the entire project end to end including understanding the requirements and scope, design, coding, integration, debugging, documentation and release. Her research interests include Embedded Systems, Mobile technologies, Digital signal processing, and FPGA Design, EDA and computer security. Right now she is working as Senior Engineer in development of DSP tools at one of the reputed FPGA giants.

 

 

 

 

 

 

 

Android WebView

Cross Site Request Forgery

Computer Security

In the present work, Cross site request forgery attacks on Android Webview is studied. When the user is logged into the trusted site through WebView, the site authenticates the WebView and not the application. The Android application can exploit the user’s credentials through the Web-based APIs of WebView. The web-based APIs can submit forms automatically and post malicious content on the trusted site on the behalf of attacker. Three such attacks are modeled using APIs WebView.loadUrl, WebView.loadData and WebView.postUrl. The attacks can also be launched by appending cookies to the HTTP headers and HTTP Requests can be sent to the trusted site using user’s credentials. The attacks are easy to execute, but difficult to detect and prevent, as the user is not aware that the attacks are being executed using his credentials. Future work will focus on developing solutions to defend against such attacks on WebView.

 

 

 

 

 

 

 

 

 

[1] T. Luo, X. Jin, A. Ananthanarayanan, and W. Du,Touchjacking Attacks on Web in Android, iOS, and Windows Phone. In Proceedings of the 5th International Symposium on Foundations & Practice of Security, October 25-26, 2012.

[2] T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin.,”Attacks on webview in the android system”, In Proceedings of the 27th Annual Computer Security Applications, Conference, pages 343352, ACM, 2011.

[3] Bhavani A B, “Cross-site Scripting attacks on Android WebView”, International Journal for Computer Science and Network (IJCSN), Volume 2, Issue 2, Feb 2013.

[4] A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions, In proceedings of the 2nd USENIX conference on Web application development, WebApps’11, pages 7-7, Berkeley, CA, USA, 2011.

[5] V. Konstantin Kafer, Cross Site Request Forgery, Hasso-Plattner-Institut, Potsdam. OWASP

[6] A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for Cross-Site Request Forgery, In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pages 7588, 2008.

[7] Ziqing Mao, Ninghui Li, Ian Molloy, Defeating Cross- Site Request Forgery Attacks with Browser-Enforced Authenticity Protection, Financial Cryptography 2009: 238-255.

[8] X. N. W. Group. Hypertext transfer protocol HTTP/1.1. RFC 2616, June 1999. http://www.ietf.org/rfc/rfc2616.txt.

[9] XI. M. Zalweski, Browser security handbook, http://code.google.com/p/browsersec/wiki/Part2, 2008.

[10] Backes, Michael. Sebastian Gerling, Phillip von Styp- Rekowsky. A Local Cross-Site Scripting Attack against Android Phones, Saarland University, Aug 2011.

[11] Chuck Willis,Preparing for the Cross Site Request Forgery Defense, Presented at Black Hat Briefings DC 2008 on February 20, 2008.

[12] Jesse Burns, Cross site request Forgery, Information Security Partners, LLC.

[13] Chuan Yue, Mitigating cross-site form history spamming attacks with domain-based ranking, In Proceedings of the DIMVA (2011), pp. 104123.

[14] Nenad Jovanovic, Engin Kirda, and Christopher Kruegel,Preventing Cross Site Request Forgery Attacks, IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), Baltimore, MD, USA, August 2006.

[15] Wim Maes, Thomas Heyman, Lieven Desmet, Wouter Joosen, Browser protection against cross-site request forgery, Proceedings of the first ACM workshop on Secure execution of untrusted code, pages 3-10, Chicago, Illinois, USA, 9 November 2009.

[16] Ingrid Lunden (1 July 2013). ”Android, Led By Samsung, Continues To Storm The Smartphone Market, Pushing A Global 70% Market Share “http://techcrunch.com/2013/07/01/android-led-bysamsung- continues-to-storm-the-smartphone-marketpushing- a-global-70-market-share” TechCrunch. AOL Inc. Retrieved 2 July 2013.

[17] Android Development Team,http://developer.android.com/index.html

[18] Simple PHP Forum Script, ”www.webestools.com/ftp/ybouane/scripts/tuto rials/php/forum”

[19] Android Development Team. WebView, http://developer.android.com/reference/android/webkit /WebView.html

[20] HTTPClient http://hc.apache.org/httpcomponentsclient- ga/

[21] Fundamentals of HTTP components http://hc.apache.org/httpcomponents-clientga/ tutorial/html/fundamentals.html

[22] HTTP Message Headers http://www.w3.org/Protocols/rfc2616/rfc2616- sec4.html

 

 

 

 

 

 


All rights reserverd @ IJCSN International Journal www.IJCSN.org