An American computer scientist has claimed there could be significant weaknesses in the WebView platform used to write almost nine out of ten Android apps.
According to Wenliang Du, professor of computer science at Syracuse University in the US, WebView is used to create 86 percent of Android apps, but developers could abuse the controls in place in an effort to make their apps more popular.
The heart of the problem, Du claimed, is that WebView has enabled developers to embed browsers in their apps which makes them more customisable and able to feed into social media and personal email streams, which could have a dire impact on security.
“In industry, developers are usually carried away by the fancy features they create for their products; they often forget about or underestimate the security problems caused by those features,” Du said.
“This has happened many times in the history of computing. The design of WebView in Android is just another example of this.”
The result is that developers can side-step some of the security features within browsers, and effectively create new browsers within their apps that are hard to control and break guidelines on the use of sandboxes.
“Internet browsers have safeguards, known as the sandbox, that protect user information and prevent personal information from unknowingly being shared throughout the web,” Du said.
“As apps have become more dynamic, those safeguards can often impede some of the desired functionality a developer wishes to create. As a result, app developers have slowly begun opening up holes in the protective sandbox to provide a better user experience, but as a result user information is no longer as secure.”
Du didn't give any examples of apps that were insecure due to such shortcuts, but said the proliferation of browsers embedded inside applications would inherently make it easier for malicious developers to publish apps that could steal user information.
“WebView allows developers to embed browsers in their apps, creating thousands of browser applications on mobile platforms and there is no way to determine which apps are trustworthy,” Du said. “Malicious app developers could create apps that steal or modify users’ information in their online accounts, such as Facebook.”
Du said he had submitted a proposal to Google to explore whether there were ways to preserve the user-friendly aspects of WebView and at the same time make it secure.
Google has yet to respond to a request for comment on Du's findings.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
