Research on the Security of Android WebView and Application Enhancement

doi:10.3969/j.issn.1671-1122.2015.10.009

Abstract

Abstract:

Android platform provides WebView component to load and display webpage.By calling the APIs provided by WebView, Android applications can interact with the webpage.This interaction includes allowing javascript code in webpage to access the local resources by calling java code in Android applications.In this process, an attacker can tamper with the javascript in webpage to attack Android applications.Based on our research, such attacks usually use the reverse engineering of Android applications to get accessible WebView interface as its first step.Thus, in order to avoid these attacks, this paper proposed an application enhancement scheme to prevent Android reverse engineering and hide WebView component interface in order to protect the Android applications.This scheme can prevent not only attacks on WebView component, but also other attacks based on Android reverse engineering.

Key words: Android, security, WebView, application enhancement

CLC Number:

TP309

ZHAO Guang-ze, LI Hui, MENG Yang. Research on the Security of Android WebView and Application Enhancement[J]. Netinfo Security, 2015, 15(10): 61-65.

Figures/Tables 9

References 10

[1]	贾同彬,蔡阳,王跃武,等. 一种面向普通用户的Android APP安全性动态分析方法研究[J]. 信息网络安全,2015,(9):1-5.
[2]	WebView-AndroidDevelopers[EB/OL].,2015-06-03.
[3]	Jing Yu,Toshihiro,Yamauchi.Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS[C]//2013 IEEE International Conference on High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing,2013.
[4]	邵旭东,刘洋. 一个应对Android应用抬权攻击的系统框架设计[J]. 信息网络安全,2015,(9):89-92.
[5]	Pinku Hazarika,Rahul Raj CP,Seshubabu Tolety.Recommendations for Webview Based Mobile Applications on Android[C]//2014 IEEE International Conference on Advanced Communication Control and Computing Technologies (ICACCCT),2014.
[6]	Tongbo Luo,Hao Hao,Wenliang Du.Attacks on WebView in the Android System[C]//Proceedings of the 27th Annual Computer Security Application Conference. ACM, 2011: 343-352.
[7]	Hyderabad,Andhra.Cross-site Scripting Attacks on Android WebView[C]//IJCSN International Journal of Computer Science and Network, 2013.
[8]	叶嘉羲,张权,王剑. 基于权限控制和脚本检测的Webview漏洞防护方案研究[J]. 信息网络安全,2015,(3):38-43.
[9]	Jingzhu Wu,Yanhui Guo,Guoai Xu.Enhance Android Applications Based on Anti-Reverse Scheme[C]//Proceedings of IEEE CCIS2012,2012.
[10]	Tang Jiutao, Lin Guoyuan.Research of Software Protection[C]//International Conference on Educational and Network Technology(ICENT 2010),2010.

[1]	SHEN Xiuyu, JI Weifeng. Optimization of Cost of Edge-Cloud Collaborative Computing Offloading Considering Security [J]. Netinfo Security, 2024, 24(7): 1110-1121.
[2]	ZHAO Xinqiang, FAN Bo, ZHANG Dongju. Research on APT Attack Defense System Based on Threat Discovery [J]. Netinfo Security, 2024, 24(7): 1122-1128.
[3]	WEN Wen, LIU Qinju, KUANG Lin, REN Xuejing. Research and Scheme Design of Cyber Threat Intelligence Sharing under Privacy Protection System [J]. Netinfo Security, 2024, 24(7): 1129-1137.
[4]	GUO Xiangxin, LIN Jingqiang, JIA Shijie, LI Guangzheng. Security Analysis of Cryptographic Application Code Generated by Large Language Model [J]. Netinfo Security, 2024, 24(6): 917-925.
[5]	LING Zhi, YANG Ming, YU Jiangyin. Research on Power Security Trading Platform Based on IPFS and Blockchain Technology [J]. Netinfo Security, 2024, 24(6): 968-976.
[6]	ZHANG Changlin, TONG Xin, TONG Hui, YANG Ying. A Survey of Large Language Models in the Domain of Cybersecurity [J]. Netinfo Security, 2024, 24(5): 778-793.
[7]	WANG Wei, HU Yongtao, LIU Qingtao, WANG Kailun. Research on Softwaization Techniques for ERT Trusted Root Entity in Railway Operation Environment [J]. Netinfo Security, 2024, 24(5): 794-801.
[8]	LIU Sinuo, RUAN Shuhua, CHEN Xingshu, ZHENG Tao. An eBPF-Based Threat Observability System for Cloud-Oriented Environment [J]. Netinfo Security, 2024, 24(4): 534-544.
[9]	ZHANG Yanshuo, YUAN Yuqi, LI Liqiu, YANG Yatao, QIN Xiaohong. Periodically Deniable Ring Signature Scheme Based on SM2 Digital Signature Algorithm [J]. Netinfo Security, 2024, 24(4): 564-573.
[10]	XU Zirong, GUO Yanping, YAN Qiao. Malicious Software Adversarial Defense Model Based on Feature Severity Ranking [J]. Netinfo Security, 2024, 24(4): 640-649.
[11]	LIU Feng, JIANG Jiaqi, HUANG Hao. Security Overview of Cryptocurrency Trading Media and Processes [J]. Netinfo Security, 2024, 24(3): 330-351.
[12]	YANG Zhipeng, LIU Daidong, YUAN Junyi, WEI Songjie. Research on Network Local Security Situation Fusion Method Based on Self-Attention Mechanism [J]. Netinfo Security, 2024, 24(3): 398-410.
[13]	HUANG Haiyan, AI Yuxin, LIANG Linlin, LI Zan. Analysis of Physical Layer Security Performance in RSMA Wireless Communication Systems under Eavesdropper Attacks [J]. Netinfo Security, 2024, 24(2): 252-261.
[14]	YAN Hailong, WANG Shulan. Design and Implementation of Integrated Service Platform for Real Estate Registration Based on Domestic Cryptographic Technology [J]. Netinfo Security, 2024, 24(2): 303-308.
[15]	ZHANG Bowen, LI Dong, ZHAO Yizhu, YU Junqing. Research on Endogenous Security Mechanism of Cloud Network Driven by IPv6 Address [J]. Netinfo Security, 2024, 24(1): 113-120.