PhishinWebView: Analysis of Anti-Phishing Entities in Mobile Apps with WebView Targeted Phishing

Download PDF

Yoonjung Choi, Woonghee Lee, Junbeom Hur

Published: 23 Jan 2024, Last Modified: 23 May 2024TheWebConf24EveryoneRevisionsBibTeX
Keywords: Phishing, WebView Security, Evasion Technique
TL;DR: In this study, we systematically evaluate the blocking processes of Safe Browsing in individual apps in the real world by designing the phishing attack tailored to WebView.
Abstract: Despite the relentless efforts on developing anti-phishing techniques, phishing attacks continue to proliferate, often incorporating evasion techniques to bypass detection. While recent studies have continuously enhanced our understanding of their evasion techniques in desktop environments, few studies have been conducted to explore how the phishing attack is being handled in mobile environments, specifically WebView. In this study, we systematically evaluate the blocking processes of anti-phishing entities in individual apps in the real world by designing the phishing attack tailored to WebView. Specifically, we select eight well-known apps using WebView, and report 80 typical phishing sites (without evasion techniques) and 130 user- agent-specific phishing sites (accessible exclusively via each app’s WebView). For scalable analysis, we develop an autonomous evaluation framework and investigate accessibility of both apps and Safe Browsing entities. As a result, we find that user-agent-specific (UA-specific) phishing sites successfully evade blocking across all of the eight Android apps. We investigate accessing strategies of anti-phishing agents when trying to access UA-specific phishing sites; and only two apps find their accessible user-agents for the phishing site without any subsequent actions such as blocking the link. According to our experiment results, we present security recommendations that apps should provide users with sufficient visual clues on link previews (such as HTTP indicators and URL check status) when accessing websites through WebView. To the best of our knowledge, this is the first study that explores how the WebView environments handle phishing attacks and disclose their vulnerability in the real world.
Track: Security
Submission Guidelines Scope: Yes
Submission Guidelines Blind: Yes
Submission Guidelines Format: Yes
Submission Guidelines Limit: Yes
Submission Guidelines Authorship: Yes
Student Author: Yes
Submission Number: 2472