Webview: An in-app Web Browser created to ensure seamless user experience without context switching between browser and mobile application. It allows developers to display web content directly into their mobile application and supports the concept of code reuse thus Webviews are extensively used in current mobile application development. This presentation will cover the common Webview related security issues and the techniques to prevent those security issues and make the mobile applications secure and robust. We would be talking about the following common security issues and their prevention:
Insecure Deeplink implementation
Insufficient URL validation
Insufficient Webview hardening
Lack of Webview isolation
Unintended data leakage via misconfigured Webview
In the later part of the presentation, we will cover the story behind getting the Chromium CVE:2021-21136 (https://bugs.chromium.org/p/chromium/issues/detail?id=1038002). A security issue in Android Webviews leads to leakage of sensitive data such as user’s auth tokens and shared secrets to the third party.
===
Imdadullah Mohammed is currently working as a Security Engineer with Grab, Singapore. He has extensive experience in performing end-to-end security assessments of Web Applications, Web services, Thick Client, Mobile Application, IoT device & Network. Also as a security engineer, he has been responsible for secure code reviews, security training, implementation of security standards, and various other application security initiatives.
---
Shiv Sahni is currently working as a Senior Associate with JP Morgan Chase, Singapore. He’s one of the contributors in the OWASP MSTG project and is also the author of a whitepaper titled ‘The Grey Matter of Securing Android Applications’. Shiv has worked as a guest lecturer for the ‘Post-Graduation Diploma Cyber Security ‘(PGDCL) course at the University of Delhi. His credentials include OSCP, CREST-CRT, CREST-CPSA, AWS-CSA, ISO 27001-LA, and a Gold Medal from the University of Delhi for outstanding academic performance. His research has identified multiple vulnerabilities in organizations including Google, Microsoft, Intel, ING Bank, Sony, Stack Exchange, and AT&T. Apart from working on penetration testing projects, he has also worked on various assignments to left shift security in SDLC and has trained over 200 people in application security.
0 Comments