Prof finds security problems with Android apps

A Syracuse University professor says he’s uncovered a security flaw in Android apps using the WebView platform.

Of the top 20 apps in ten categories in the Android market, 17 use WebView. It allows developers to embed browsers in their apps, giving users the opportunity to interact with social media, personal email and other app users.

However, professor of computer science Wenliang Du says he’s discovered that the use of WebView opens app developers and users to potential risks.

First, he says, there’s the issue of which apps to trust. Users of well-known browsers such as Firefox, Explorer or Safari can be fairly confident they’re protected from malicious content.

However, WebView allows developers to embed browsers in their apps, creating thousands of browser applications on mobile platforms. And there is no way to determine which apps are trustworthy, he says. Malicious app developers could create apps that steal or modify users’ information in their online accounts, such as Facebook.

In addition, he says, customers are losing the protection of the sandbox, which protects user information and prevent personal information from unknowingly being shared throughout the web.

As apps have become more dynamic, those safeguards can get in the way of functionality, and many app developers have begun taking shortcuts.

“In industry, developers are usually carried away by the fancy features they create for their products; they often forget about or underestimate the security problems caused by those features,” says Du.

“This has happened many times in the history of computing. The design of WebView in Android is just another example of this.”

Du says he’s contacted Google about the issue, and now plans to swee whether the same problems apply to other platforms.