Difference between revisions of "Web View"

From MgmtWiki
Jump to: navigation, search
(Created page with "==Full Title and Meme== A display of information from a Web Site by an application that is installed on a user's computing device with full power to act as the user. ==Co...")
 
(Other References)
Line 31: Line 31:
  
 
===Other References===
 
===Other References===
 +
* [https://www.kirupa.com/apps/webview.htm Understanding Web Views]].
 
* [https://www.owasp.org/index.php/Main_Page The Open Web Application Security Project (OWASP)] is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of web site software.
 
* [https://www.owasp.org/index.php/Main_Page The Open Web Application Security Project (OWASP)] is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of web site software.
* [https://www.nationalisacs.org/ ISAC]s are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators.
+
 
* [[Native App]] wiki page.
 
* [[Native App Privacy]] wiki page.
 
  
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category:Identifier]]
 
[[Category:Identifier]]

Revision as of 12:26, 7 May 2019

Full Title and Meme

A display of information from a Web Site by an application that is installed on a user's computing device with full power to act as the user.

Context

  • The first of the Laws of Security tell us that when an attacker gets to run their code on your computer, it is no longer just your computer any longer.
  • The Native App that is displaying the Web View is operating on the user's device with all of the privileges that the user enabled when the app was loaded.

Problems

  • In Open Banking it is proposed that a payment initiator and a bank can both have Native Apps running where the payment initiator app asks the banking app on the same device for permission to remove money from the user's account.
  • The article Watch Out for a Clever Touch ID Scam Hitting the App Store shows how unscrupulous apps can fool the user in to granting access to their bank accounts.
  • A Web View is a display of information from a Web Site. There is no trustworthy indication that the Native App has correctly displayed the information that it obtained from the Web Site.

Solutions

  • The Native App exposes its name and the web site that backs it in a manner that allows the user to make a meaningful trust decision.
    • Android play store requires[1] any app that uses a brand name service to be securely bound to a URL that properly exposes that brand.
    • Apple has not released any plans to improve app naming security as of 2018-09-21.
  • Joint use Native Apps are provide to some industries for all to use. It makes the trust decision by the user much more difficult.
  • Same Site was designed to help, but as of (2018-09-21) is not consistently applied.

Organizational Support

References

  1. 1.0 1.1 Handling Android App Links. https://developer.android.com/training/app-links/

Other References