An Webview Vulnerability Protection Based On Access Control And Script Detection

doi:10.3969/j.issn.1671-1122.2015.03.008

Abstract

Abstract:

This paper studies the formation mechanism of the Webview vulnerability, and learns that the vulnerability arises from the unsafe function’ invoking and did not defend java reflection on the program. At present, Webview vulnerability detection method is mainly based on black box testing, which is at low accuracy. This paper proposes a detection combined of static analysis and dynamic analysis: static analysis can carry out where is the unsafe function, and dynamic analysis can make a test on the unsafe function, in that way the Webview vulnerability can be detected effectively and accurately. At the same time, this paper studies the Webview vulnerability protection proposed by Google, and pointed out that there exits three defects in Google’s defend. So this paper proposes a vulnerability defend based on access control and script detection, the defend is strict with the visitors’ authority limit, timely responding to the user and makes use of script detection to distinguish the security scripts and malicious script, putting an end to the Webview vulnerability without any ability weaken. Finally, this paper designs a set of experiment, comparing the undefended program and the defend programs, the result shows that the protection is valid.

Key words: android system, Webview vulnerability, detection, defend

CLC Number:

TP309

YE Jia-xi, ZHANG Quan, WANG Jian. An Webview Vulnerability Protection Based On Access Control And Script Detection[J]. Netinfo Security, 2015, 15(3): 38-43.

Figures/Tables 7

References 14

[1]	周莉婕,雷友珣. Android操作系统浏览器安全漏洞的分析[J]. 软件,2013, 34(5): 107-111.
[2]	吴欢. 基于WebKit的嵌入式浏览器移植和扩展技术[D]. 华中科技大学, 2013.
[3]	Chin E M.Helping Developers Construct Secure Mobile Applications[D]. UNIVERSITY OF CALIFORNIA, BERKELEY, 2013.
[4]	Luo T, Hao H, Du W, et al.Attacks on WebView in the Android system[C]. ACM, 2011.
[5]	Neugschwandtner M, Lindorfer M, Platzer C.A View to a Kill: WebView Exploitation.[C]. 2013.
[6]	孙巍,徐学东,徐学军. Java反射机制在可重构Web框架中的应用[J]. 计算机工程与应用,2005, 41(36): 92-94.
[7]	徐尤华,熊传玉. Android 应用的反编译[J]. 电脑与信息技术, 2012, 20(1): 50-51.
[8]	Chin E, Wagner D.Bifocals: Analyzing WebView Vulnerabilities in Android Applications[Z]. Springer, 2014138-159.
[9]	Vance A.Times Web Ads Show Security Breach[Z]. 2009.
[10]	腾讯大数据. 2014年第二季度移动行业数据报告[R].2014.
[11]	Hay R, Amit Y.Android browser cross-application scripting[R]. CVE-2011-2357, IBM Rational Application Security Research Group, 2011.
[12]	Bhavani A B. Cross-site Scripting Attacks on Android WebView[J]. arXiv preprint arXiv:1304.7451. 2013.
[13]	丰生强. Android软件的破解技术[Z].北京: 人民邮电出版社, 2013265-309.
[14]	腾讯大数据. 2014年第一季度移动行业数据报告[R].2014.

[1]	ZHOU Shucheng, LI Yang, LI Chuanrong, GUO Lulu, JIA Xinhong, YANG Xinghua. Context-Based Abnormal Root Cause Algorithm [J]. Netinfo Security, 2024, 24(7): 1062-1075.
[2]	XIANG Hui, XUE Yunhao, HAO Lingxin. Large Language Model-Generated Text Detection Based on Linguistic Feature Ensemble Learning [J]. Netinfo Security, 2024, 24(7): 1098-1109.
[3]	GUO Xiangxin, LIN Jingqiang, JIA Shijie, LI Guangzheng. Security Analysis of Cryptographic Application Code Generated by Large Language Model [J]. Netinfo Security, 2024, 24(6): 917-925.
[4]	WEN Weiping, ZHANG Shichen, WANG Han, SHI Lin. Linux Malicious Application Detection Scheme Based on Virtual Machine Introspection [J]. Netinfo Security, 2024, 24(5): 657-666.
[5]	LI Zhihua, CHEN Liang, LU Xulin, FANG Zhaohui, QIAN Junhao. Lightweight Detection Method for IoT Mirai Botnet [J]. Netinfo Security, 2024, 24(5): 667-681.
[6]	GU Guomin, CHEN Wenhao, HUANG Weida. A Covert Tunnel and Encrypted Malicious Traffic Detection Method Based on Multi-Model Fusion [J]. Netinfo Security, 2024, 24(5): 694-708.
[7]	ZHANG Hao, XIE Dazhi, HU Yunsheng, YE Junwei. A Review of Network Anomaly Detection Based on Semi-Supervised Learning [J]. Netinfo Security, 2024, 24(4): 491-508.
[8]	WANG Jian, CHEN Lin, WANG Kailun, LIU Jiqiang. Application Layer DDoS Detection Method Based on Spatio-Temporal Graph Neural Network [J]. Netinfo Security, 2024, 24(4): 509-519.
[9]	TU Xiaohan, ZHANG Chuanhao, LIU Mengran. Design and Implementation of Malicious Traffic Detection Model [J]. Netinfo Security, 2024, 24(4): 520-533.
[10]	JIANG Rong, LIU Haitian, LIU Cong. Unsupervised Network Intrusion Detection Method Based on Ensemble Learning [J]. Netinfo Security, 2024, 24(3): 411-426.
[11]	ZHANG Xinyou, SUN Feng, FENG Li, XING Huanlai. Multi-View Representations for Fake News Detection [J]. Netinfo Security, 2024, 24(3): 438-448.
[12]	ZHANG Qiang, HE Junjiang, LI Wenshan, LI Tao. Anomaly Traffic Detection Based on Deep Metric Learning [J]. Netinfo Security, 2024, 24(3): 462-472.
[13]	FENG Guangsheng, JIANG Shunpeng, HU Xianlang, MA Mingyu. New Research Progress on Intrusion Detection Techniques for the Internet of Things [J]. Netinfo Security, 2024, 24(2): 167-178.
[14]	JIN Zhigang, DING Yu, WU Xiaodong. Federated Intrusion Detection Algorithm with Bilateral Correction Merging Gradient Difference [J]. Netinfo Security, 2024, 24(2): 293-302.
[15]	SUN Hongzhe, WANG Jian, WANG Peng, AN Yulong. Network Intrusion Detection Method Based on Attention-BiTCN [J]. Netinfo Security, 2024, 24(2): 309-318.