双城记:WebView如何给Android应用程序带来漏洞

Jiajun Hu, Lili Wei, Yepang Liu, S. Cheung, Huaxun Huang
{"title":"双城记:WebView如何给Android应用程序带来漏洞","authors":"Jiajun Hu, Lili Wei, Yepang Liu, S. Cheung, Huaxun Huang","doi":"10.1145/3238147.3238180","DOIUrl":null,"url":null,"abstract":"WebView is a widely used Android component that augments a native app with web browser capabilities. It eases the interactions between an app's native code and web code. However, the interaction mechanism of WebView induces new types of bugs in Android apps. Understanding the characteristics and manifestation of these WebView-induced bugs ($\\omega \\text{Bugs}$ for short) facilitates the correct usages of WebViews in Android apps. This motivates us to conduct the first empirical study on $\\omega \\text{Bugs}$ based on those found in popular open-source Android apps. Our study identified the major root causes and consequences of $\\omega \\text{Bugs}$ and made interesting observations that can be leveraged for detecting and diagnosing $\\omega \\text{Bugs}$. Based on the empirical study, we further propose an automated testing technique $\\omega \\text{Droid}$ to effectively expose $\\omega \\text{Bugs}$ in Android apps. In our experiments, $\\omega \\text{Droid}$ successfully discovered 30 unique and previously-unknown $\\omega \\text{Bugs}$ when applied to 146 open-source Android apps. We reported the 30 $\\omega \\text{Bugs}$ to the corresponding app developers. Out of these 30 $\\omega \\text{Bugs}$, 14 were confirmed and 7 of them were fixed. This shows that $\\omega \\text{Droid}$ can effectively detect $\\omega \\text{Bugs}$ that are of the developers' concern.","PeriodicalId":6622,"journal":{"name":"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)","volume":"69 1","pages":"702-713"},"PeriodicalIF":0.0000,"publicationDate":"2018-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":"{\"title\":\"A Tale of Two Cities: How WebView Induces Bugs to Android Applications\",\"authors\":\"Jiajun Hu, Lili Wei, Yepang Liu, S. Cheung, Huaxun Huang\",\"doi\":\"10.1145/3238147.3238180\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"WebView is a widely used Android component that augments a native app with web browser capabilities. It eases the interactions between an app's native code and web code. However, the interaction mechanism of WebView induces new types of bugs in Android apps. Understanding the characteristics and manifestation of these WebView-induced bugs ($\\\\omega \\\\text{Bugs}$ for short) facilitates the correct usages of WebViews in Android apps. This motivates us to conduct the first empirical study on $\\\\omega \\\\text{Bugs}$ based on those found in popular open-source Android apps. Our study identified the major root causes and consequences of $\\\\omega \\\\text{Bugs}$ and made interesting observations that can be leveraged for detecting and diagnosing $\\\\omega \\\\text{Bugs}$. Based on the empirical study, we further propose an automated testing technique $\\\\omega \\\\text{Droid}$ to effectively expose $\\\\omega \\\\text{Bugs}$ in Android apps. In our experiments, $\\\\omega \\\\text{Droid}$ successfully discovered 30 unique and previously-unknown $\\\\omega \\\\text{Bugs}$ when applied to 146 open-source Android apps. We reported the 30 $\\\\omega \\\\text{Bugs}$ to the corresponding app developers. Out of these 30 $\\\\omega \\\\text{Bugs}$, 14 were confirmed and 7 of them were fixed. This shows that $\\\\omega \\\\text{Droid}$ can effectively detect $\\\\omega \\\\text{Bugs}$ that are of the developers' concern.\",\"PeriodicalId\":6622,\"journal\":{\"name\":\"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)\",\"volume\":\"69 1\",\"pages\":\"702-713\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-09-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"19\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3238147.3238180\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3238147.3238180","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 19

摘要

WebView是一个广泛使用的Android组件,它增强了本地应用程序的web浏览器功能。它简化了应用程序的本地代码和web代码之间的交互。然而,WebView的交互机制给Android应用带来了新的bug。了解这些由webview引起的bug(简称$\omega \text{bugs}$)的特点和表现,有助于在Android应用中正确使用webview。这促使我们基于在流行的开源Android应用中发现的漏洞,对$\omega \text{Bugs}$进行首次实证研究。我们的研究确定了$\omega \text{Bugs}$的主要根源和后果,并进行了有趣的观察,可以用于检测和诊断$\omega \text{Bugs}$。在实证研究的基础上,我们进一步提出了一种自动化测试技术$\omega \text{Droid}$,以有效地暴露Android应用中的$\omega \text{Bugs}$。在我们的实验中,$\omega \text{Droid}$在应用于146个开源Android应用程序时,成功地发现了30个独特的和以前未知的$\omega \text{bug}$。我们向相应的应用程序开发人员报告了30个$\omega \text{Bugs}$。在这30个$\omega \text{Bugs}$中,确认了14个,修复了7个。这说明$\omega \text{Droid}$可以有效地检测出开发者关心的$\omega \text{Bugs}$。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
A Tale of Two Cities: How WebView Induces Bugs to Android Applications
WebView is a widely used Android component that augments a native app with web browser capabilities. It eases the interactions between an app's native code and web code. However, the interaction mechanism of WebView induces new types of bugs in Android apps. Understanding the characteristics and manifestation of these WebView-induced bugs ($\omega \text{Bugs}$ for short) facilitates the correct usages of WebViews in Android apps. This motivates us to conduct the first empirical study on $\omega \text{Bugs}$ based on those found in popular open-source Android apps. Our study identified the major root causes and consequences of $\omega \text{Bugs}$ and made interesting observations that can be leveraged for detecting and diagnosing $\omega \text{Bugs}$. Based on the empirical study, we further propose an automated testing technique $\omega \text{Droid}$ to effectively expose $\omega \text{Bugs}$ in Android apps. In our experiments, $\omega \text{Droid}$ successfully discovered 30 unique and previously-unknown $\omega \text{Bugs}$ when applied to 146 open-source Android apps. We reported the 30 $\omega \text{Bugs}$ to the corresponding app developers. Out of these 30 $\omega \text{Bugs}$, 14 were confirmed and 7 of them were fixed. This shows that $\omega \text{Droid}$ can effectively detect $\omega \text{Bugs}$ that are of the developers' concern.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Automatically Testing Implementations of Numerical Abstract Domains Self-Protection of Android Systems from Inter-component Communication Attacks Characterizing the Natural Language Descriptions in Software Logging Statements DroidMate-2: A Platform for Android Test Generation CPA-SymExec: Efficient Symbolic Execution in CPAchecker
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1