SU professor uncovers potential issues with apps built for Android systems

Oct 13, 2011

Wenliang Du, professor of computer science in the L.C. Smith College of Engineering and Computer Science (LCS), has had his paper accepted to be presented at the 27th Annual Computer Security Applications Conference, on potential issues with mobile applications (commonly referred to as apps) written for the Android system using the WebView platform.

Currently, in the Android market, 86 percent of the top 20 most-downloaded apps in 10 diverse categories use WebView. With the goal of creating dynamic apps, WebView has enabled developers to embed browsers in their apps allowing users to have a more customized experience that provides opportunities to interact with social media, personal email and other app users. However, Du has discovered that the use of WebView opens app developers and users to potential risks.

There are two major issues addressed in his paper:

  1. Which apps to trust. There are a limited number of on the Internet (i.e. Firefox, Explorer, Safari, etc.). As a result, users of these browsers can be reasonably assured that they are protected from malicious content. However, WebView allows developers to embed browsers in their apps, creating thousands of browser applications on mobile platforms and there is no way to determine which apps are trustworthy. Malicious app developers could create apps that steal or modify users' information in their online accounts, such as Facebook.
  2. Dealing with losing the protection of the sandbox. Internet browsers on computers have safeguards, known as the sandbox, that protect user information and prevent personal information from unknowingly being shared throughout the web. As apps have become more dynamic, those safeguards can often impede some of the desired functionality a developer wishes to create. As a result, app developers have slowly begun opening up holes in the protective sandbox to provide a better , but as a result user information is no longer as secure.
"In industry, developers are usually carried away by the fancy features they create for their products; they often forget about or underestimate the security problems caused by those features," says Du. "This has happened many times in the history of computing. The design of WebView in Android is just another example of this."

Du has submitted a proposal to Google to explore whether there are ways to preserve the nice features of WebView and at the same time make it secure. He and his graduate students are also planning on exploring whether this issue may also affect other smartphone and tablet platforms.

A Ph.D. student, Tongbo Luo, who is currently working with Du on a National Science Foundation cybersecurity research grant, had the initial idea to explore weaknesses in the system. Luo had taken Du's courses in computer security and Internet security where students explored both how to identify weaknesses in operating systems and applications as well as how hackers might take advantage of these weaknesses.

Du is passionate about preparing his students to apply the right amount of skepticism to new product introductions. "The goal of both of my security courses is for students to learn take a look at a system or new technology and ask themselves: 'Is this risky?'"

Explore further: Microsoft expands ad-free Bing search for schools

Provided by Syracuse University

not rated yet
add to favorites email to friend print save as pdf

Related Stories

Android users get malware with their apps

Mar 02, 2011

(PhysOrg.com) -- As new platforms make their way into the market there will always someone who is looking to exploit them for illegal or unethical ends. More proof of that fact has come today when Google was ...

Apple to nix apps that tip off drunk drivers

Jun 09, 2011

(AP) -- After pressure from four U.S. senators, Apple Inc. has said it will start rejecting iPhone applications that tip drivers off about police checkpoints for drunken driving.

How Secure are iPhone and Android Apps

Apr 01, 2010

(PhysOrg.com) -- Today's smartphones are pocket size computers that can be customized by downloading applications. This is what makes a smartphone vulnerable to cybercriminals. In this article we will examine ...

Malicious programmers focus on smartphones, tablets

May 04, 2011

Malicious programmers are always looking for new targets. While smartphones and tablets replace PCs as the gadgets we use for messaging, Web surfing and even doing business, some shady characters are starting to target these ...

Recommended for you

Microsoft expands ad-free Bing search for schools

7 hours ago

Microsoft is expanding a program that gives schools the ability to prevent ads from appearing in search results when they use its Bing search engine. The program, launched in a pilot program earlier this year, is now available ...

Growing app industry has developers racing to keep up

Apr 20, 2014

Smartphone application developers say they are challenged by the glut of apps as well as the need to update their software to keep up with evolving phone technology, making creative pricing strategies essential to finding ...

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 0

More news stories

Jacket works like a mobile phone

A fire is raging in a large building and the fire leader is sending a message to all firefighters at the scene. But they don't need a mobile phone – they simply check their jacket sleeves and read the message ...

Is nuclear power the only way to avoid geoengineering?

"I think one can argue that if we were to follow a strong nuclear energy pathway—as well as doing everything else that we can—then we can solve the climate problem without doing geoengineering." So says Tom Wigley, one ...