Fine-Grained Access Control for HTML5-Based Mobile Applications in Android

HTML5-based mobile applications are becoming more and more popular because they can run on different platforms. Several newly introduced mobile OS natively support HTML5-based applications. For those that do not provide native support, such as Android, iOS, and Windows Phone, developers can develop HTML5-based applications using middlewares, such as PhoneGap. In these platforms, programs are loaded into a web component, called WebView, which can render HTML5 pages and execute JavaScript code. In order for the program to access the system resources, which are isolated from the content inside WebView due to its sandbox, bridges need to be built between JavaScript and the native code e.g. Java code in Android. Unfortunately, such bridges break the existing protection that was originally built into WebView. In this paper, we study the potential risks of HTML5-based applications, and investigate how the existing mobile systems' access control supports these applications. We focus on Android and the PhoneGap middleware. However, our ideas can be applied to other platforms. Our studies indicate that Android does not provide an adequate access control for this kind of applications. We propose a fine-grained access control mechanism for the bridge in Android system. We have implemented our scheme in Android and have evaluated its effectiveness and performance.

[1]  V. N. Venkatakrishnan,et al.  AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements , 2010, USENIX Security Symposium.

[2]  Helen J. Wang,et al.  Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[3]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[4]  Sougata Mukherjea,et al.  A Middleware Framework for Mashing Device and Telecom Features with the Web , .

[5]  Vikas Agarwal,et al.  User controllable security and privacy for mobile mashups , 2011, HotMobile '11.

[6]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[7]  Wenliang Du,et al.  ESCUDO: A Fine-Grained Protection Model for Web Browsers , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[8]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[9]  James Mickens,et al.  Jigsaw: Efficient, Low-effort Mashup Isolation , 2012, WebApps.

[10]  Rob Gordon,et al.  Essential Jni: Java Native Interface , 1998 .

[11]  Andre Charland,et al.  Mobile application development , 2011, Commun. ACM.

[12]  Yuchen Zhou,et al.  Protecting Private Web Content from Embedded Scripts , 2011, ESORICS.

[13]  E. Michael Maximilien,et al.  Mobile Mashups: Thoughts, Directions, and Challenges , 2008, 2008 IEEE International Conference on Semantic Computing.

[14]  Cecilia Mascolo,et al.  Don't kill my ads!: balancing privacy in an ad-supported mobile application market , 2012, HotMobile '12.

[15]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[16]  Kapil Singh Can Mobile learn from the Web ? , 2012 .

[17]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[18]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[19]  Dawn Xiaodong Song,et al.  Privilege Separation in HTML5 Applications , 2012, USENIX Security Symposium.

[20]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[21]  Helen J. Wang,et al.  On the Incoherencies in Web Browser Access Control Policies , 2010, 2010 IEEE Symposium on Security and Privacy.

[22]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[23]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[24]  Shashi Shekhar,et al.  AdSplit: Separating Smartphone Advertising from Applications , 2012, USENIX Security Symposium.

[25]  Ankur Taly,et al.  Isolating JavaScript with Filters, Rewriting, and Wrappers , 2009, ESORICS.

[26]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[27]  Ngu Phuc Huy,et al.  Evaluation of mobile app paradigms , 2012, MoMM '12.