An Automated Detection and Verification Method for WebView Component Vulnerabilities

被引：0

作者：

Wang J.-J. ^{[1
]}

Liu J.-X. ^{[1
,2
]}

Ma Y.-F. ^{[2
]}

Shao S. ^{[1
]}

Zhang P.-H. ^{[1
]}

机构：

[1] China Information Technology Security Evaluation Center, Beijing

[2] University of Science and Technology of China, Hefei, 230026, Anhui

来源：

Beijing Ligong Daxue Xuebao/Transaction of Beijing Institute of Technology | 2020年 / 40卷 / 02期

关键词：

Dynamic verification; Mobile security; Static analysis; Vulnerability detection;

D O I：

10.15918/j.tbit1001-0645.2017.359

中图分类号：

学科分类号：

摘要：

With Android WebView component widely used, its vulnerabilities will cause significant risks, but current detection methods which rely on static pattern matching have high rate of false positives. Therefore this paper proposes an automatic detection and verification method for WebView component vulnerabilities, based on static analysis and dynamic verification combination. The reachability analysis of vulnerable suspicious points was used to avoid the futile dynamic verification of invalid paths, for improving analysis efficiency. The data dependency analysis was combined with the dynamic verification that can simulate real attack behaviors to trigger and confirm vulnerabilities timely, for reducing false positives. The prototype tool XWebViewDigger has been developed and tested on 80 real Android applications, with 18 vulnerable applications detected and verified. Compared with current methods, the false positive rate was effectively reduced. © 2020, Editorial Department of Transaction of Beijing Institute of Technology. All right reserved.

引用

页码：169 / 174

页数：5

共 10 条

[1] Enck W., Octeau D., Mcdaniel P., Et al., A study of android application security, Proceedings of Usenix Conference on Security, (2011)
[2] Chin E., Felt A.P., Greenwood K., Et al., Analyzing inter-application communication in Android, Proceedings of International Conference on Mobile Systems, Applications, and Services, pp. 239-252, (2011)
[3] Arzt S., Rasthofer S., Fritz C., Et al., FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps, Acm Sigplan Notices, 49, 6, pp. 259-269, (2014)
[4] Yang Z., Yang M., Zhang Y., Et al., AppIntent: analyzing sensitive data transmission in android for privacy leakage detection, Proceedings of ACM Sigsac Conference on Computer & Communications Security, pp. 1043-1054, (2013)
[5] Egele M., Kruegel C., Kirda E., Et al., PiOS: detecting privacy leaks in iOS applications, Proceedings of Network and Distributed System Security Symposium, NDSS 2011, pp. 280-291, (2011)
[6] Enck W., Gilbert P., Han S., Et al., TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones, Acm Transactions on Computer Systems, 32, 2, pp. 1-29, (2014)
[7] Xia M., Gong L., Lyu Y., Et al., Effective real-time android application auditing, Proceedings of Security and Privacy, pp. 899-914, (2015)
[8] Chin E., Wagner D., Bifocals: analyzing WebView vulnerabilities in android applications, Proceedings of International Workshop on Information Security Applications, pp. 138-159, (2013)
[9] Ye J., Zhang Q., Wang J., An webview vulnerability protection based on access control and script detection, Netinfo Security, 3, pp. 38-43, (2015)
[10] 360 free online application of security risk scanning service

← 1 →