Vulnerabilities in Android webview objects: Still not the end!

WebView objects allow Android apps to render web content in the app context. More specifically, in Android hybrid apps (i.e., those having both Android code and web code) the web content can interact with the underlying Android framework through Java interfaces and WebViewClient objects. Thus, while rendering web content a hybrid app can execute malicious Javascript code that can access the sensitive data on the device, bypassing the sandbox model usually adopted by standalone browsers. Researchers already analyzed the security issues of WebView objects, by focusing on Javascript interfaces. However, we believe that there are other aspects related to the rendering of web content in Android apps, such as WebViewClient objects, that could lead to security issues. In this paper, we introduce three new types of vulnerabilities related to WebView, that expose new attack surfaces concerning the most well-known vulnerability related to JavaScript interfaces. To detect these new types of vulnerabilities, we designed WebVSec, a static analysis system that relies on a set of custom inference rules, heuristically formalized. By designing WebVSec to detect also the vulnerability already described in the state-of-art, we were able to compare WebVSec with BabelView on a set of 2000 applications. BabelView was found not able to detect our new three types of vulnerabilities and also less precise and efficient in detecting the already known vulnerability. In particular, over the 2000 analyzed apps, WebVSec and BabelView identified 48 and 18 vulnerable apps, respectively. Among those, WebVSec found 20 apps having a specific type of vulnerabilities and 36 apps having another type of vulnerabilities, while BabelView found 11 and 0 apps, respectively. In terms of efficiency, WebVSec took 27.16 hours to analyze the whole set of 2000 applications against the 63.64 hours required by BabelView.