More Web Proxy on the site http://driver.im/

research-article

NativeWrap: ad hoc smartphone application creation for end users

Authors:

Adwait Nadkarni,

Vasant Tendulkar,

William EnckAuthors Info & Claims

WiSec '14: Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks

Pages 13 - 24

https://doi.org/10.1145/2627393.2627412

Published: 23 July 2014 Publication History

Abstract

Smartphones have become a primary form of computing. As a result, nearly every consumer, company, and organization provides an "app" for the popular smartphone platforms. Many of these apps are little more than a WebView widget that renders downloaded HTML and JavaScript content. In this paper, we argue that separating Web applications into separate OS principals has valuable security and privacy advantages. However, in the current smartphone application ecosystem, many such apps are fraught with privacy concerns. To this end, we propose NativeWrap as an alternative model for security and privacy conscious consumers to access Web content. NativeWrap "wraps" the domain for given URL into a native platform app, applying best practices for security configuration. We describe the design of a prototype of NativeWrap for the Android platform and test compatibility on the top 250 Alexa Websites. By using NativeWrap, third-party developers are removed from platform code, and users are placed in control of privacy sensitive operation.

References

[1]

C. Amrutkar, K. Singh, A. Verma, and P. Traynor. VulnerableMe: Measuring Systemic Weaknesses in Mobile Browser Security. In Proceedings of the International Conference on Information Systems Security (ICISS), 2012.

[2]

android4me - J2ME port of Google's Android. https://code.google.com/p/android4me/. Accessed August 2012.

[3]

V. Anupam and A. Mayer. Security of web browser scripting languages: vulnerabilities, attacks, and remedies. In Proceedings of the 7th USENIX Security Symposium, pages 187--200, 1998.

Digital Library

[4]

Apple. Apple Updates iOS to 6.1, Mar. 2013. http://www.apple.com/pr/library/2013/01/28Apple-Updates-iOS-to-6--1.html.

[5]

axml - Read write android binary xml files. https://code.google.com/p/axml/. Accessed January 2013.

[6]

A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems and Applications (HotMobile), 2011.

Digital Library

[7]

E. Y. Chen, J. Bau, C. Reis, A. Barth, and C. Jackson. App Isolation: Get the Security of Multiple Browsers with Just One. In Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011.

Digital Library

[8]

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys), 2011.

Digital Library

[9]

M. Conti, V. T. N. Nguyen, and B. Crispo. CRePE: Context-Related Policy Enforcement for Android. In Proceedings of the 13th Information Security Conference (ISC), Oct. 2010.

Digital Library

[10]

R. S. Cox, J. G. Hanson, S. D. Gribble, and H. M. Levy. A safety-oriented platform for web applications. In 2006 IEEE Symposium on Security and Privacy, pages 15--pp, 2006.

Digital Library

[11]

N. Cubrilovic. Logging out of Facebook is not enough. http://www.nikcub.com/posts/logging-out-of-facebook-is-not-enough, 2011.

[12]

B. Davis and H. Chen. RetroSkeleton: Retrofitting Android Apps. In Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys), 2013.

Digital Library

[13]

T. Ditchendorf. Turn Your Favorite Web Apps into Real Mac Apps. http://fluidapp.com/about/, 2012. Accessed May 5, 2013.

[14]

A. Efrati. 'Like' Button Follows Web Users. http://online.wsj.com/article/SB10001424052748704281504576329441432995616.html?mod=WSJ_Tech_LEADTop, 2011.

[15]

M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS), Feb. 2011.

[16]

Electronic Frontier Foundation. HTTPS Everywhere. https://www.eff.org/https-everywhere. Accessed April 2013.

[17]

N. Elenkov. Certificate pinning in Android 4.2. http://nelenkov.blogspot.com/2012/12/certificate-pinning-in-android-42.html, 2012.

[18]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Oct. 2010.

Digital Library

[19]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, August 2011.

Digital Library

[20]

S. Fahl, M. Harbach, T. Muders, L. Baumgartner, B. Freisleben, and M. Smith. Why eve and mallory love android: an analysis of android SSL (in)security. In Proceedings of the 2012 ACM conference on Computer and communications security(CCS), 2012.

Digital Library

[21]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011.

Digital Library

[22]

A. P. Felt and D. Wagner. Phishing on Mobile Devices. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP), 2011.

[23]

G. Fernandez and L. Allen. Extending the Unix Protection Model with Access Control Lists. In Proceedings of the USENIX Summer Symposium, pages 119--132, 1988.

[24]

M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 38--49, 2012.

Digital Library

[25]

C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Trust and Trustworthy Computing, Lecture Notes in Computer Science Volume 7344, 2012.

Digital Library

[26]

M. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe Exposure Analysis of Mobile In-App Advertisements. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2012.

Digital Library

[27]

D. Graziano. Jelly Bean's market share is up but Gingerbread just won't die. http://bgr.com/2013/02/08/android- version-distribution-february-2013--316698/, 2013. Accessed April 2013.

[28]

C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.

Digital Library

[29]

P. Guhring. Concepts against Man-in-the-Browser Attacks. http://www.cacert.at/svn/sourcerer/CAcert/SecureClient.pdf. Accessed December 2012.

[30]

J. Han, Q. Yan, D. Gao, J. Zhou, and R. Deng. Comparing Mobile Privacy Protection through Cross-Platform Applications. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS), 2013.

[31]

H. Hao, V. Singh, and W. Du. On the Effectiveness of API-Level Access Control Using Bytecode Rewriting in Android. In Proceedings of the ACM SIGSAC Symposium on Information Computer and Communications Security (ASIACCS), 2013.

Digital Library

[32]

P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011.

Digital Library

[33]

L.-S. Huang, Z. Weinberg, C. Evans, and C. Jackson. Protecting browsers from cross-origin CSS attacks. In Proceedings of the 17th ACM conference on Computer and communications security, pages 619--629, 2010.

Digital Library

[34]

C. Jackson and A. Barth. ForceHTTPS: Protecting High-Security Web Sites from Network Attacks. In Proceedings of the 17th International ACM Conference on World Wide Web, 2008.

Digital Library

[35]

C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th international conference on World Wide Web, pages 733--744. ACM, 2006.

Digital Library

[36]

K. Jayaraman, W. Du, B. Rajagopalan, and S. J.Chapin. ESCUDO: A Fine-Grained Protection Model for Web Browsers. In Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems (ICDCS), pages 231--240, 2010.

Digital Library

[37]

J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-Grained Permissions in Android Applications. In Proceedings of the ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), 2012.

Digital Library

[38]

D. Kaplan. DigiNotar breach fallout widens as more details emerge. http://www.scmagazine.com/ diginotar-breach-fallout-widens-as-more- details-emerge/article/211349/, 2011.

[39]

P. A. Karger and A. J. Herbert. An Augmented Capability Architecture to Support Lattice Security and Traceability of Access. In Proceedings of the IEEE Symposium on Security and Privacy, May 1984.

[40]

W. Leonhard. Weaknesses in SSL certification exposed by Comodo security breach. https://www.infoworld .com/t/authentication/weaknesses-in-ssl- certification-exposed-comodo-security- breach-593, 2011.

[41]

K. Maine. Percentage of Web sites Using HTML5. http://www.binvisions.com/articles/how-many-percentage-web-sites-using-html5/, 2011. Accessed April 2013.

[42]

Moxie Marlinspike. Convergence. http://convergence.io/. Accessed March 2013.

[43]

M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In Proceedings of ASIACCS, 2010.

Digital Library

[44]

PhoneGap. http://phonegap.com/about/, 2012. Accessed May 5, 2013.

[45]

E. Protalinski. Facebook's Android app can now retrieve data about what apps you use. http://thenextweb .com/facebook/2013/04/13/facebooks- android-app-can-now-retrieve-data- about-what-apps-you-use/, 2013.

[46]

A. Raskin. Tabnabbing: A new type of phishing attack. http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/, 2010.

[47]

Scott Thurm and Yukari Iwatani Kane. Your Apps Are Watching You. http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html.

[48]

J. S. Shapiro. EROS: A Capability System. PhD thesis, University of Pennsylvania, 1999.

Digital Library

[49]

B. Slawski. Facebook Patent Application Describes Receiving Data from Logged-Out Users to Target Ads. http://www.seobythesea.com/2011/09/facebook-patent-application-target-ads/, 2011.

[50]

smali - An Assembler/Disassembler for Android's dex Format. https://code.google.com/p/smali/. Accessed April 2013.

[51]

R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In IEEE Mobile Security Technologies (MoST), 2012.

[52]

S. Tang, H. Mai, and S. T. King. Trust and Protection in the Illinois Browser Operating System. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, 2010.

Digital Library

[53]

The Electronic Frontier Foundation. EFF SSL Observatory. https://www.eff.org/observatory. Accessed October 2012.

[54]

H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-Principle OS Construction of the Gazelle Web Browser. In Proceedings of the USENIX Security Symposium, 2009.

Digital Library

[55]

B. Womack. Google Says 700,000 Applications Available for Android. Bloomberg Businessweek, Oct. 2012. http://www.businessweek.com/news/2012--10--29/google-says-700-000-applications- available-for-android-devices.

[56]

W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack. HYDRA: The Kernel of a Multiprocessor Operating Systems. Communications of the ACM, 17(6), June 1974.

Digital Library

[57]

R. Xu, H. Saidi, and R. Anderson. Aurasium: Practical Policy Enforcement for Android Applications. In Proceedings of the USENIX Security Symposium, 2012.

Digital Library

[58]

Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming Information-Stealing Smartphone Applications (on Android). In Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST), June 2011.

Digital Library

Cited By

LEE HLEE YSEO CYOON H(2018)Efficient Approach for Mitigating Mobile Phishing AttacksIEICE Transactions on Communications10.1587/transcom.2018EBP3020E101.B:9(1982-1996)Online publication date: 1-Sep-2018
https://doi.org/10.1587/transcom.2018EBP3020
Davidson DChen YGeorge FLu LJha SKarri RSinanoglu OSadeghi AYi X(2017)Secure Integration of Web Content and Applications on Commodity Mobile Operating SystemsProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052998(652-665)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052998
Lombardi FDi Pietro R(2016)Trusted, Heterogeneous, and Autonomic Mobile CloudSecure System Design and Trustable Computing10.1007/978-3-319-14971-4_14(439-455)Online publication date: 2016
https://doi.org/10.1007/978-3-319-14971-4_14
Show More Cited By

Index Terms

NativeWrap: ad hoc smartphone application creation for end users
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

AppInk: watermarking android apps for repackaging deterrence
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

With increased popularity and wide adoption of smartphones and mobile devices, recent years have seen a new burgeoning economy model centered around mobile apps. However, app repackaging, among many other threats, brings tremendous risk to the ecosystem,...
Binary compatible graphics support in Android for running iOS apps
Middleware '17: Proceedings of the 18th ACM/IFIP/USENIX Middleware Conference

Mobile apps make extensive use of GPUs on smartphones and tablets to access Web content. To support pervasive Web content, we introduce three key OS techniques for binary graphics compatibility necessary to build a real-world system to run iOS and ...
Android Applications Repackaging Detection Techniques for Smartphone Devices

The problem of malwares affecting Smartphones has been widely recognized by the researchers across the world. Majority of these malwares target Android OS. Studies have found that most of the Android malwares hide inside repackaged apps to get inside ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '14: Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks

July 2014

246 pages

ISBN:9781450329729

DOI:10.1145/2627393

Conference Chair:
Gergely Acs
Inria, France
,
General Chairs:
Andrew Martin
Oxford University, UK
,
Ivan Martinovic
Oxford University, UK
,
Program Chairs:
Claude Castelluccia
Inria, France
,
Patrick Traynor
University of Florida, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 July 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

WiSec'14

Sponsor:

SIGSAC

WiSec'14: 7th ACM Conference on Security & Privacy in Wireless and Mobile Networks

July 23 - 25, 2014

Oxford, United Kingdom

Acceptance Rates

WiSec '14 Paper Acceptance Rate 25 of 96 submissions, 26%;

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
273
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

LEE HLEE YSEO CYOON H(2018)Efficient Approach for Mitigating Mobile Phishing AttacksIEICE Transactions on Communications10.1587/transcom.2018EBP3020E101.B:9(1982-1996)Online publication date: 1-Sep-2018
https://doi.org/10.1587/transcom.2018EBP3020
Davidson DChen YGeorge FLu LJha SKarri RSinanoglu OSadeghi AYi X(2017)Secure Integration of Web Content and Applications on Commodity Mobile Operating SystemsProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052998(652-665)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052998
Lombardi FDi Pietro R(2016)Trusted, Heterogeneous, and Autonomic Mobile CloudSecure System Design and Trustable Computing10.1007/978-3-319-14971-4_14(439-455)Online publication date: 2016
https://doi.org/10.1007/978-3-319-14971-4_14
Hale MHanson S(2015)A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web ServicesProceedings of the 2015 IEEE World Congress on Services10.1109/SERVICES.2015.35(181-188)Online publication date: 27-Jun-2015
https://dl.acm.org/doi/10.1109/SERVICES.2015.35

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents