Besides rendering pages in common browsers like Chrome, it is customary for apps to rely on WebViews to display web pages. While browsers handle permissions through user prompts for each visited site, WebViews require developers to manage web permission requests individually, leaving significant room for error. However, to date, the community lacks insight into the current developers’ practices of WebView’s permission enforcement. To address this research gap, we present the first large-scale study on the implementation of WebView regarding web permission enforcement in the wild, focusing on Android apps. Particularly, we develop an automated pipeline to detect apps that utilize WebView to display websites to users but lack proper web permission enforcement, which we refer to as privacy-harmful apps (PHAs). Our pipeline flagged 12,109 potential PHAs that compromise user-sensitive data due to a failure to implement web permission enforcement. Among these potential PHAs, we further demonstrate how malicious apps without sensitive permissions can exploit 2,219 PHAs through a confused deputy attack to load targeted malicious websites that access sensitive data like location, camera, and microphone simply by starting these PHAs. Our results highlight a notable privacy risk – including apps with over 500 million installations – as any website can secretly collect user data while browsing online, and malicious apps can abuse such PHAs to collect user data at scale. To help developers, we notify affected developers and gather insights from their feedback. Our findings reveal widespread and often misunderstood issues, emphasizing the necessity for collaborative efforts among stakeholders to address these privacy concerns.
ACM ASIA Conference on Computer and Communications Security (AsiaCCS)
2025-08-25
2025-05-14