<div class="csl-bib-body">
<div class="csl-entry">Beer, P., Squarcina, M., Veronese, L., & Lindorfer, M. (2024). Tabbed Out: Subverting the Android Custom Tab Security Model. In <i>2024 IEEE Symposium on Security and Privacy (SP)</i> (pp. 4591–4609). https://doi.org/10.1109/SP54263.2024.00105</div>
</div>
-
dc.identifier.uri
http://hdl.handle.net/20.500.12708/203681
-
dc.description.abstract
Mobile operating systems provide developers with various mobile-to-Web bridges to display Web pages inside native applications. A recently introduced component called Custom Tab (CT) provides an outstanding feature to overcome the usability limitations of traditional WebViews: it shares the state with the underlying browser. Similar to traditional WebViews, it can also keep the host application informed about ongoing Web navigations. In this paper, we perform the first systematic security evaluation of the CT component and show how the design of its security model did not consider cross- context state inference attacks when the feature was introduced. Additionally, we show how CTs can be exploited for fine-grained exfiltration of sensitive user browsing data, violation of Web session integrity by circumventing SameSite cookies, and how UI customization of the CT component can lead to phishing and information leakage. To assess the prevalence of CTs in the wild and the practicality of the mitigation strategies we propose, we carry out the first large-scale analysis of CT usage on over 50K Android applications. Our analysis reveals that their usage is widespread, with 83% of applications embedding CTs either directly or as part of a library.
We have responsibly disclosed all our findings to Google, which has already taken steps to apply targeted mitigations, assigned three CVEs for the discovered vulnerabilities, and awarded us $10,000 in bounties. Our interaction with Google led to clarifications of the CT security model in the new Chrome Custom Tabs Security FAQ document.
en
dc.description.sponsorship
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds
-
dc.description.sponsorship
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds
-
dc.description.sponsorship
Europäischer Forschungsrat (ERC)
-
dc.language.iso
en
-
dc.subject
web security
en
dc.subject
mobile security
en
dc.subject
XS-leaks
en
dc.subject
web privacy
en
dc.subject
information leakage
en
dc.subject
app measurement
en
dc.subject
chrome custom tabs
en
dc.subject
android webview
en
dc.title
Tabbed Out: Subverting the Android Custom Tab Security Model
en
dc.type
Inproceedings
en
dc.type
Konferenzbeitrag
de
dc.contributor.affiliation
TU Wien, Austria
-
dc.relation.doi
10.1109/SP54263.2024
-
dc.description.startpage
4591
-
dc.description.endpage
4609
-
dc.relation.grantno
ICT19-056
-
dc.relation.grantno
ICT22-060
-
dc.relation.grantno
771527
-
dc.type.category
Full-Paper Contribution
-
tuw.booktitle
2024 IEEE Symposium on Security and Privacy (SP)
-
tuw.peerreviewed
true
-
tuw.project.title
IoTIO: Analyse des Internet der Unsicheren Dinge
-
tuw.project.title
Fixing the Broken Bridge Between Mobile Apps and the Web
-
tuw.project.title
Foundations and Tools for Client-Side Web Security
-
tuw.researchTopic.id
I4
-
tuw.researchTopic.name
Information Systems Engineering
-
tuw.researchTopic.value
100
-
tuw.publication.orgunit
E192-06 - Forschungsbereich Security and Privacy
-
tuw.publisher.doi
10.1109/SP54263.2024.00105
-
dc.description.numberOfPages
19
-
tuw.author.orcid
0009-0009-6923-0027
-
tuw.author.orcid
0000-0002-3105-0903
-
tuw.author.orcid
0009-0005-0459-6993
-
tuw.author.orcid
0000-0001-7001-4481
-
tuw.event.name
IEEE Symposium on Security and Privacy (SP 2024)
en
tuw.event.startdate
19-05-2024
-
tuw.event.enddate
23-05-2024
-
tuw.event.online
On Site
-
tuw.event.type
Event for scientific audience
-
tuw.event.place
San Francisco
-
tuw.event.country
US
-
tuw.event.presenter
Beer, Philipp
-
tuw.event.track
Multi Track
-
wb.sciencebranch
Informatik
-
wb.sciencebranch.oefos
1020
-
wb.sciencebranch.value
100
-
item.openairetype
conference paper
-
item.grantfulltext
restricted
-
item.openairecristype
http://purl.org/coar/resource_type/c_5794
-
item.fulltext
no Fulltext
-
item.cerifentitytype
Publications
-
item.languageiso639-1
en
-
crisitem.author.dept
TU Wien, Austria
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.orcid
0000-0002-3105-0903
-
crisitem.author.orcid
0009-0005-0459-6993
-
crisitem.author.orcid
0000-0001-7001-4481
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.project.funder
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds
-
crisitem.project.funder
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds