BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews

TL;DR

This paper introduces BabelView, a static analysis tool that evaluates the security impact of code injection attacks in mobile Webviews, revealing widespread vulnerabilities in Android apps.

Contribution

The paper presents BabelView, a novel static analysis approach that models attacker behavior to systematically identify Webview vulnerabilities without needing JavaScript semantics reasoning.

Findings

Identified 2,677 vulnerabilities in 1,663 apps

Apps with vulnerabilities have over 835 million installations

Achieves 90% precision and 66% recall in detection

Abstract

A Webview embeds a full-fledged browser in a mobile application and allows the application to expose a custom interface to JavaScript code. This is a popular technique to build so-called hybrid applications, but it circumvents the usual security model of the browser: any malicious JavaScript code injected into the Webview gains access to the interface and can use it to manipulate the device or exfiltrate sensitive data. In this paper, we present an approach to systematically evaluate the possible impact of code injection attacks against Webviews using static information flow analysis. Our key idea is that we can make reasoning about JavaScript semantics unnecessary by instrumenting the application with a model of possible attacker behavior -- the BabelView. We evaluate our approach on 11,648 apps from various Android marketplaces, finding 2,677 vulnerabilities in 1,663 apps. Taken together, the apps reported as vulnerable have over 835 million installations worldwide. We manually validated a random sample of 66 apps and estimate that our fully automated analysis achieves a precision of 90% at a recall of 66%.