Visible to the public Raising the Bar Really High: An MTD Approach to Protect Data in Embedded Browsers

TitleRaising the Bar Really High: An MTD Approach to Protect Data in Embedded Browsers
Publication TypeConference Paper
Year of Publication2019
AuthorsMohsen, Fadi, Jafaarian, Haadi
Conference Name2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)
Keywordsandroid, apps, browser-based vulnerabilities, Browsers, composability, compositionality, computing systems security, Cyber Attacks, data protection, file servers, HTML, Human Behavior, human factors, Internet, Internet users privacy, Java, JavaScript injection attacks, Metrics, mobile, Mobile Application, mobile computing, mobile operating systems, mobile WebViews, moving target defense, MTD, MTD approach, online front-ends, Operating systems, operating systems (computers), privacy, pubcrawl, resilience, Resiliency, security, security of data, server-side moving target defense technique, smart phones, UI component, user interfaces, web, Web Browser Security, Web browsers safety, Web pages, WebView-Embedded app, WebViews
AbstractThe safety of web browsers is essential to the privacy of Internet users and the security of their computing systems. In the last few years, there have been several cyber attacks geared towards compromising surfers' data and systems via exploiting browser-based vulnerabilities. Android and a number of mobile operating systems have been supporting a UI component called WebView, which can be embedded in any mobile application to render the web contents. Yet, this mini-browser component has been found to be vulnerable to various kinds of attacks. For instance, an attacker in her WebView-Embedded app can inject malicious JavaScripts into the WebView to modify the web contents or to steal user's input values. This kind of attack is particularly challenging due to the full control of attackers over the content of the loaded pages. In this paper, we are proposing and testing a server-side moving target defense technique to counter the risk of JavaScript injection attacks on mobile WebViews. The solution entails creating redundant HTML forms, randomizing their attributes and values, and asserting stealthy prompts for the user data. The solution does not dictate any changes to the browser or applications codes, neither it requires key sharing with benign clients. The results of our performance and security analysis suggest that our proposed approach protects the confidentiality and integrity of user input values with minimum overhead.
Citation Keymohsen_raising_2019