Difference between revisions of "Web View"

From MgmtWiki
Jump to: navigation, search
(Organizational Support)
(Solutions)
Line 15: Line 15:
 
==Solutions==
 
==Solutions==
 
* The [[Native App]] exposes its name and the [[Web Platform Identifier]] of the web site that backs it so that the user can make a meaningful trust decision.
 
* The [[Native App]] exposes its name and the [[Web Platform Identifier]] of the web site that backs it so that the user can make a meaningful trust decision.
** Android play store requires<ref name='android'>''Handling Android App Links.'' https://developer.android.com/training/app-links/</ref> any app that uses a brand name service to be securely bound to a [[URL]] that properly exposes that brand.
+
** Android play store requires<ref name='android'>''Handling Android App Links.'' https://developer.android.com/training/app-links/</ref> any app that uses a [[Brand]] name service to be securely bound to a [[URL]] that properly exposes that brand.
 
** Apple has not released any plans to improve app naming security as of 2018-09-21.
 
** Apple has not released any plans to improve app naming security as of 2018-09-21.
 
* Joint use [[Native App]]s are provide to some industries for all to use. It makes the trust decision by the user much more difficult.
 
* Joint use [[Native App]]s are provide to some industries for all to use. It makes the trust decision by the user much more difficult.

Revision as of 17:27, 24 May 2019

Full Title and Meme

A display of information from a Web Site by an application that is installed on a user's computing device with full power to act as the user.

Context

  • The first of the Laws of Security tell us that when an attacker gets to run their code on your computer, it is no longer just your computer any longer.
  • The Native App that is displaying the Web View is operating on the user's device with all of the privileges that the user enabled when the app was loaded.

Problems

  • In Open Banking it is proposed that a payment initiator and a bank can both have Native Apps running where the payment initiator app asks the banking app on the same device for permission to remove money from the user's account.
  • The article Watch Out for a Clever Touch ID Scam Hitting the App Store shows how unscrupulous apps can fool the user in to granting access to their bank accounts.
  • A Web View is a display of information from a Web Site. There is no trustworthy indication that the Native App has correctly displayed the information that it obtained from the Web Site.
  • Any script running inside of a Web View is operating with the full permissions of the user. There is no sandbox as there is with a trustworthy web browser.
  • There is no means for the user's device to indicate the trustworthiness of any running app.

Solutions

  • The Native App exposes its name and the Web Platform Identifier of the web site that backs it so that the user can make a meaningful trust decision.
    • Android play store requires[1] any app that uses a Brand name service to be securely bound to a URL that properly exposes that brand.
    • Apple has not released any plans to improve app naming security as of 2018-09-21.
  • Joint use Native Apps are provide to some industries for all to use. It makes the trust decision by the user much more difficult.
  • Same Site was designed to help, but as of (2018-09-21) is not consistently applied.

Organizational Support

References

  1. 1.0 1.1 Handling Android App Links. https://developer.android.com/training/app-links/

Other References