automated generation of event-oriented exploits in android ......in android, the hybrid development...
TRANSCRIPT
![Page 1: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/1.jpg)
*Secure Communication and Computer Systems Lab Texas A&M University
Automated Generation of Event-Oriented Exploits in Android Hybrid Apps
Guangliang Yang, Jeff Huang, and Guofei Gu
![Page 2: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/2.jpg)
In Android, the hybrid development approach is popular
• The use of the embedded browser, known as "WebView" • rendering web content and
running JavaScript code without leaving apps (i.e., hybrid apps)
• Advantages • Easy to deploy
• Re-using existing web code
![Page 3: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/3.jpg)
Event Handler: A unique WebView feature
• Through the event handler feature, developers can handle/customize web events. • Changing web UI, such as
• drawing web alert dialogs
• Supporting customized URL, such as
• tel:800 -> making a call
• 94.2% apps use the event handler feature
Security Flaws!
![Page 4: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/4.jpg)
Event Handler: A unique WebView feature
• Handling/Customizing web events via Event Handler
Hybrid App
HTML/JavaScript Code
Event Handler
WebView
Native (Java)
Web Event
![Page 5: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/5.jpg)
Event Handler: A unique WebView feature
• Handling/Customizing web events via Event Handler
Hybrid App
HTML/JavaScript Code
Event Handler
WebView
Native (Java)
![Page 6: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/6.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input
Hybrid App
HTML/JavaScript Code
Event Handler
WebView
Native (Java)
Server
Android Device
HTML/JavaScript Code
Event Handler
![Page 7: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/7.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input <a href = ‘mmsdk://c1.c2?args=...&callback=...’ WebView
Native shouldOverrideUrlLoading(WebView view, String url) { … function1 ← hashmap(c1. c2) result = function1(args) loadUrl(“javascript:” + callback + “( + result + “)”);
}
![Page 8: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/8.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input <a href = ‘mmsdk://c1.c2?args=...&callback=...’ WebView
Native shouldOverrideUrlLoading(WebView view, String url) { … function1 ← hashmap(c1. c2) result = function1(args) loadUrl(“javascript:” + callback + “( + result +
“)”); }
Implicit Flow
![Page 9: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/9.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input <a href = ‘mmsdk://c1.c2?args=...&callback=...’ WebView
Native shouldOverrideUrlLoading(WebView view, String url) { … function1 ← hashmap(c1. c2) result = function1(args) loadUrl(“javascript:” + callback + “( + result +
“)”); }
Implicit Flow
1. Recording audio
2. Using camera to take pictures
3. Leaking device ID
4. Attacking other apps using Intent
5. …
![Page 10: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/10.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input Event Handler#1
Target
![Page 11: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/11.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input Event Handler#1
Target
![Page 12: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/12.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input Event Handler#1
Target
![Page 13: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/13.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input Event Handler#2 Event Handler#1
Target
![Page 14: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/14.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input Event Handler#2 Event Handler#1
Target
![Page 15: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/15.jpg)
Attacking Event Handlers • Potential Attack#1: triggering an event handler
with appropriate input Event Handler#2 Event Handler#1
Target
Event Handler#2 → Event Handler#1
![Page 16: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/16.jpg)
Attacking Event Handlers
• Potential Attack#2: Playing web events as “gadgets” • The target program state is St
• State transitions: [S1→S2→ ... →St] • Web events triggering: [E1→E2→ ... →Et]
![Page 17: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/17.jpg)
Attacking Event Handlers • Potential Attack#2: Playing web events as “gadgets”
• The target program state is St
• [S1→S2→ ... →St] • [E1→E2→ ... →Et] • [EH1→EH2→ ... →EHt]
Generalizing Attacks: Event Oriented Exploits (EOE)
![Page 18: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/18.jpg)
Event Oriented Exploits
• Consequences • Cross-origin/frame DOM manipulation • Phishing • Sensitive information leakage (such as IMEI and GPS) • Local resource access (such as local database), etc.
Detecting and verifying existing apps against EOE
![Page 19: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/19.jpg)
Detecting and verifying apps against EOE
• Exiting techniques face significant challenges • Static analysis (AppIntent, IntelliDroid, TriggerScope,
etc.) • False positives
• lack of real data and context • False negatives
• Java Reflection • Implicit flows
![Page 20: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/20.jpg)
Detecting and verifying apps against EOE
• Recap …
<a href = ‘mmsdk://c1.c2?args=...&callback=...’ WebView
Native shouldOverrideUrlLoading(WebView view, String url) { … function1 ← hashmap(c1. c2)
}
Implicit Flow
![Page 21: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/21.jpg)
Detecting and verifying apps against EOE
• Exiting techniques face significant challenges • Static analysis (AppIntent, IntelliDroid, TriggerScope,
etc.) • False positives
• Lack of real data and context • False negatives
• Java Reflection • Implicit flows (Google Ads, etc.)
![Page 22: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/22.jpg)
Detecting and verifying apps against EOE
• Exiting techniques face significant challenges • Dynamic analysis
• False negatives • low code coverage
Our Solution: EOEDroid
![Page 23: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/23.jpg)
Our Solution: EOEDroid
1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
![Page 24: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/24.jpg)
Our Solution: EOEDroid
1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
![Page 25: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/25.jpg)
How does EOEDroid work?
Event Handler#2 Event Handler#1
Target
![Page 26: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/26.jpg)
How does EOEDroid work?
Event Handler#2 Event Handler#1
Target
![Page 27: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/27.jpg)
Our Solution: EOEDroid
1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
![Page 28: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/28.jpg)
How does EOEDroid work?
Event Handler#2 Event Handler#1
Target
![Page 29: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/29.jpg)
How does EOEDroid work?
Event Handler#2 Event Handler#1
Target
Event Handler#2 → Event Handler#1
![Page 30: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/30.jpg)
Our Solution: EOEDroid
1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
![Page 31: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/31.jpg)
Our Solution: EOEDroid
1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
![Page 32: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/32.jpg)
Phase1: Event Handler Analysis • Symbolic Execution • Challenges
• Path explosion • Discovering interesting paths
• Unsupported Fork() • Keeping analysis contexts clean
• Hooking external-content-writing
• Android ICC: intent • Linking intent senders and
receivers • Implicit Flows
• Converting implicit flows to regular conditional statements
![Page 33: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/33.jpg)
Our Solution: EOEDroid
1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
![Page 34: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/34.jpg)
Phase2: Program State Analysis • Event handler input
generation • Computing path constraints
• Event handler execution order generation • Static backward analysis
![Page 35: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/35.jpg)
Our Solution: EOEDroid
1. Dynamic Symbolic Execution 2. Static backward analysis 3. Log analysis
![Page 36: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/36.jpg)
Phase3: Exploit Code Generation • Conducting the systematic
study of event handler triggering code and constraints • Web events -> Native event
handlers • Transferring data • Triggering constraints
![Page 37: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/37.jpg)
Our Solution: EOEDroid
Recap …
<a href = ‘mmsdk://c1.c2?args=...&callback=...’ WebView
Native shouldOverrideUrlLoading(WebView view, String url) { …
loadUrl(“javascript:” + callback + “( + result +
“)”); }
![Page 38: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/38.jpg)
Phase3: Exploit Code Generation • JavaScript Code Syntax Analysis
• Analyzing Abstracted Syntax Tree
![Page 39: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/39.jpg)
RESULTS / EVALUATION
![Page 40: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/40.jpg)
Evaluation
• Dataset • 3,652 popular apps
• Testbed • Android 4.3 + Nexus 10
• Methodology • Monkey + Mitmproxy
![Page 41: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/41.jpg)
Results
• 97 vulnerabilities • 58 vulnerable apps • Low false positives & false negatives • Analysis time / per app: ~4 minutes
![Page 42: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/42.jpg)
CASE STUDY
![Page 43: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/43.jpg)
Case Study: Discovering a potential backdoor
• A high-profile browser (com.mx.xxxx) • 10 million downloads
• Using EOE to leverage a potential backdoor • Stealing IMEI
![Page 44: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/44.jpg)
Case Study: Discovering a potential backdoor
![Page 45: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/45.jpg)
Case Study: Discovering a potential backdoor
• Phase#1: applying symbolic execution to analyze each event handler
![Page 46: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/46.jpg)
Case Study: Discovering a potential backdoor
![Page 47: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/47.jpg)
Case Study: Discovering a potential backdoor
• Phase#2: applying static analysis to generate the required event handler execution order
![Page 48: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/48.jpg)
Case Study: Discovering a potential backdoor
• Phase#2: applying static analysis to generate the required event handler execution order
onPageFinished() → shouldOverrideUrlLoading()
![Page 49: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/49.jpg)
Case Study: Discovering a potential backdoor
• Phase#3: Generating exploit code • onPageFinished()
• shouldOverrideUrlLoading()
![Page 50: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/50.jpg)
CONCLUSION
![Page 51: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/51.jpg)
Conclusion
• Despite existing discussion, the event handler feature continues to be problematic in existing apps. In this paper, we discovered the event handler feature may cause serious consequences.
• We propose a novel vulnerability detection and verification tool (EOEDroid), and also verified our tool is accurate and effective.
![Page 52: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/52.jpg)
Thanks!
![Page 53: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/53.jpg)
Detecting and verifying apps against EOE
• Recap …
<a href = ‘mmsdk://c1.c2?args=...&callback=...’ WebView
Native shouldOverrideUrlLoading(WebView view, String url) { … function1 ← hashmap(c1. c2)
}
Implicit Flow
![Page 54: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/54.jpg)
Phase1: Event Handler Analysis • Implicit Flows
• Converting implicit flows to regular conditional statements
• Hashmap • r = hashmap.get(k)
• [k0, k1, k2 , ..., kn ] • Conversion
![Page 55: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/55.jpg)
Phase3: Exploit Code Generation • Conducting the systematic study of
event handler triggering code and constraints • Web events -> Native event handlers • Transferring data • Triggering constraints
• JavaScript Code Syntax Analysis • Analyzing Abstracted Syntax
Tree
![Page 56: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/56.jpg)
Related Work
• NoFrak, MobileIFC, and Draco: extending same origin policy (SOP) to the native layer, or providing access control on event handlers • Hard to deploy • Hard to upgrade • Course-grained
• WIREframe and HybridGuard: providing policy enforcement • They only focus on JavaScript code. • They can be bypassed by EOE.
![Page 57: Automated Generation of Event-Oriented Exploits in Android ......In Android, the hybrid development approach is popular • The use of the embedded browser, known as "WebView" •](https://reader034.vdocument.in/reader034/viewer/2022042314/5f0220357e708231d402b2e3/html5/thumbnails/57.jpg)
Countermeasure
• Using safe connection channel: HTTPS • Checking the frame level and the origin information of
the event handler caller • Upgrade WebView to the newest version
• Providing new APIs with rich information