應用程式內建瀏覽器的隱私與安全風險

劉恩婷; Ann Tene Low

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/79229

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君	zh_TW
dc.contributor.advisor	Hsu-Chun Hsiao	en
dc.contributor.author	劉恩婷	zh_TW
dc.contributor.author	Ann Tene Low	en
dc.date.accessioned	2022-11-16T17:03:44Z	-
dc.date.available	2023-11-09	-
dc.date.copyright	2022-11-15	-
dc.date.issued	2022	-
dc.date.submitted	2002-01-01	-
dc.identifier.citation	[1] About twitter’s link service (http://t.co). https://help.twitter.com/en/using-twitter/u rl-shortener. [Online; accessed 16th-Sept-2022]. [2] Custom tabs. https://developer.chrome.com/docs/android/custom-tabs/. [Online; accessed 13th-Sept-2022]. [3] Feature-policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feat ure-Policy. [Online; accessed 14th-Sept-2022]. [4] Google. https://www.google.com/. [Online; accessed 14th-Sept-2022]. [5] Google safe browsing. https://developers.google.com/safe-browsing. [Online; accessed 20th-August-2022]. [6] How does built-in phishing and malware protection work? https://support.mozi lla.org/en-US/kb/how-does-phishing-and-malware-protection-work. [Online; accessed 20th-August-2022]. [7] Httpstatemanagementmechanism.https://www.rfc-editor.org/rfc/rfc6265.[Online; accessed 14th-Sept-2022]. [8] Incrementally better cookie draft-west-cookie-incrementalism-00. https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-00. [Online; accessed 6th-Sept-2022]. [9] ios privacy: Announcing inappbrowser.com - see what javascript commands get in- jected through an in-app browser. https://krausefx.com/blog/announcing-inappbr owsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser. [Online; accessed 5th-Sept-2022]. [10] List of android most popular google play apps. https://www.androidrank.org. [Online; accessed 14th-Sept-2022]. [11] Microsoft defender smartscreen. https://docs.microsoft.com/en-us/windows/securi ty/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscre en-overview. [Online; accessed 20th-August-2022]. [12] Openphish. https://openphish.com. [Online; accessed 14th-Sept-2022]. [13] User-agent reduction. https://developer.chrome.com/en/docs/privacy-sandbox/user-agent/. [Online; accessed 14th-Sept-2022]. [14] Worldwide data \| cloudflare radar. https://radar.cloudflare.com/#top-browser-version. [Online; accessed 30th-Sept-2022]. [15] C. Amrutkar, K. Singh, A. Verma, and P. Traynor. Vulnerableme: Measur- ing systemic weaknesses in mobile browser security. In V. Venkatakrishnan and D. Goswami, editors, Information Systems Security, pages 16–34, Berlin, Heidel- berg, 2012. Springer Berlin Heidelberg. [16] C.Amrutkar,P.Traynor,andP.C.vanOorschot.Measuringsslindicatorsonmobile browsers: Extended life, or end of the road? In D. Gollmann and F. C. Freiling, editors, Information Security, pages 86–103, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg. [17] C. Amrutkar, P. Traynor, and P. C. van Oorschot. An empirical evaluation of secu- rity indicators in mobile web browsers. IEEE Transactions on Mobile Computing, 14(5):889–903, 2015. [18] A. Barth, J. Caballero, and D. Song. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In 2009 30th IEEE Symposium on Security and Privacy, pages 360–371, 2009. [19] P. Bekos, P. Papadopoulos, E. P. Markatos, and N. Kourtellis. The hitchhiker’s guide to facebook web tracking with invisible pixels and click ids. arXiv preprint arXiv:2208.00710, 2022. [20] K. Boda, Á. M. Földes, G. G. Gulyás, and S. Imre. User tracking on the web via cross-browser fingerprinting. In P. Laud, editor, Information Security Technology for Applications, pages 31–46, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg. [21] H.Bojinov,Y.Michalevsky,G.Nakibly,andD.Boneh.Mobiledeviceidentification via sensor fingerprinting, 2014. [22] A. Cortesi, M. Hils, T. Kriechbaumer, and contributors. mitmproxy: A free and open source interactive HTTPS proxy, 2010–. [Version 8.1]. [23] A. Das, G. Acar, N. Borisov, and A. Pradeep. The Web’s sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the 25th ACM Conference on Computer and Communication Security (CCS). ACM, Oct. 2018. [24] P. Eckersley. How unique is your web browser? In M. J. Atallah and N. J. Hop- per, editors, Privacy Enhancing Technologies, pages 1–18, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg. [25] P. Eckersley. How unique is your web browser? In M. J. Atallah and N. J. Hop- per, editors, Privacy Enhancing Technologies, pages 1–18, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg. [26] A. P. Felt and D. Wagner. Phishing on mobile devices. 2011. [27] C. Hothersall-Thomas, S. Maffeis, and C. Novakovic. Browseraudit: Automated testing of browser security features. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, ISSTA 2015, page 37–47, New York, NY, USA, 2015. Association for Computing Machinery. [28] A. King, L. Garron, and C. Thompson. badssl.com. https://badssl.com. [Online; accessed 16th-Sept-2022]. [29] M. Luo, O. Starov, N. Honarmand, and N. Nikiforakis. Hindsight: Understanding the evolution of ui vulnerabilities in mobile browsers. CCS ’17, New York, NY, USA, 2017. Association for Computing Machinery. [30] N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In 2013 IEEE Symposium on Security and Privacy, pages 541–555, 2013. [31] Northwoods. Mixed content examples. https://www.mixedcontentexamples.com. [Online; accessed 14th-Sept-2022]. [32] V. L. Pochat, T. Van Goethem, S. Tajalizadehkhoob, M. Korczyński, and W. Joosen. Tranco: A research-oriented top sites ranking hardened against manipulation. arXiv preprint arXiv:1806.01156, 2018. [33] T. Roessler and A. Saldhana. Web security context: User interface guidelines. https: //www.w3.org/TR/wsc-ui/. [Online; accessed 20th-August-2022]. [34] C. Thompson, M. Shelton, E. Stark, M. Walker, E. Schechter, and A. P. Felt. The web’s identity crisis: Understanding the effectiveness of website identity indicators. In 28th USENIX Security Symposium (USENIX Security 19), pages 1715–1732, Santa Clara, CA, Aug. 2019. USENIX Association. [35] J.Zhang,A.R.Beresford,andI.Sheret.Factorycalibrationfingerprintingofsensors. IEEE Transactions on Information Forensics and Security, 16:1626–1639, 2021. [36] Z.Zhang.Ontheusability(in)securityofin-appbrowsinginterfacesinmobileapps. In 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID ’21, page 386–398, New York, NY, USA, 2021. Association for Computing Machinery. [37] Z.Zhang.Ontheusability(in)securityofin-appbrowsinginterfacesinmobileapps. In 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID ’21, page 386–398, New York, NY, USA, 2021. Association for Computing Machinery.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/79229	-
dc.description.abstract	最近的統計數據顯示，55%的網絡流量來自於手機用戶，而Chrome WebView在瀏覽器市占率中排名第四。Chrome WebView是本研究中我們感興趣的對象的基礎引擎之一。隨著用戶在手機應用上花費更多時間，應用開發者依靠應用程式內建瀏覽器來提供更好的用戶體驗。當用戶點擊對話、電子郵件或帖子中的URL時，應用程式內建瀏覽器被啟動。然而，應用程式內建瀏覽器並不提供桌面或手機瀏覽器的所有典型功能。因此，我們進行了這項研究來分析使用應用程式內建瀏覽器的隱私與安全風險。我們共收集了24個移動應用，包括移動瀏覽器和帶應用內瀏覽器的應用，並從用戶界面、安全機制和設備指紋識別三個方面設計了18項測試。儘管在我們的測試中，所有的應用程序似乎都實現了基本的安全機制，但用戶界面和設備指紋測試揭示了一些需要改進的方面。在這個過程中，我們發現沒有一個帶有自定義應用內瀏覽器的移動應用程序滿足了我們所有測試的預期屬性。儘管客製分頁（Custom Tabs)更安全，但本地應用程序仍然可以收集用戶歷史記錄並將其發送到後台服務器。我們的研究結果披露，用戶容易受到惡意網站所有者和窺探性應用程序的影響。總而言之，我們建議用戶使用更安全的手機瀏覽器來打開另一個手機應用程序中的鏈接。此外，他們可以避免使用手機應用程序，在手機瀏覽器中瀏覽移動網站。	zh_TW
dc.description.abstract	Recent statistics showed that 55 percent of the web traffic originated from mobile, and Chrome WebView ranked number four among the top browsers. Chrome WebView is one of the underlying engines for our object of interest in this study. As users spend more time on their mobile apps, app developers rely on the in-app browser to provide a better user experience. In-app browsers are triggered when users click on URLs in conversations, emails, or posts. However, in-app browsers do not offer all the typical features of desktop or mobile browsers. Thus, we performed this study to analyze the privacy and security risks of using in-app browsers. We collected a total of 24 mobile apps comprised of mobile browsers and apps with in-app browsers and designed 18 categories of tests from three aspects: user interface, security mechanism, and fingerprinting surface. Although all apps seem to implement basic security mechanisms in our tests, user interface and fingerprinting tests disclose some aspects that need improvement. During this process, we discovered that none of the mobile apps with customized in-app browsers fulfilled all test's desired properties. Despite Custom Tabs being more secure, native apps could still gather user history and send it to the backend server. Our findings disclose that users are vulnerable to malicious site owners and prying applications. In conclusion, we suggest that users use a more secure mobile browser to open links in another mobile app. Besides, they could avoid using a mobile app and browse mobile sites in mobile browsers.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2022-11-16T17:03:44Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2022-11-16T17:03:44Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Verification Letter from the Oral Examination Committee i Acknowledgements ii 摘要 iii Abstract v Contents vii List of Figures xi List of Tables xii Chapter 1 Introduction 1 Chapter 2 Background 3 2.1 WebView 4 2.2 Custom Tabs 4 2.3 Related Work 5 2.3.1 Mobile Browser User Interface 5 2.3.2 Browser Security 5 2.3.3 In-app browser risks 6 Chapter 3 Methodology 7 3.1 Threat Models 8 3.1.1 Malicious site owners 8 3.1.2 Prying apps 8 3.2 Datasets 9 3.3 Guidelines 10 3.4 User Interface 10 3.4.1 Before clicking URL 11 3.4.1.1 URL format 12 3.4.1.2 URL opening options 12 3.4.1.3 Modifications on copied URL 13 3.4.2 Browser view 14 3.4.2.1 Displayed URL 14 3.4.2.2 Security Indicators 15 3.4.2.3 TLS identity button 16 3.4.2.4 TLS errors 16 3.4.2.5 Anti-phishing feature 17 3.4.3 Sensitive Information 18 3.5 Security Mechanism 18 3.5.1 HTTP Strict-Transport-Security 19 3.5.2 HTTP cookies 19 3.5.3 Referrer-Policy 20 3.5.4 X-Content-Type-Options 20 3.5.5 X-Frame-Options 21 3.5.6 Permissions Policy 21 3.6 Device Fingerprinting Surface 23 3.6.1 HTTP headers 23 3.6.2 Mobile Sensor 24 3.6.3 Injecting JavaScript 24 3.6.4 Requests accompanied with URL navigation 25 Chapter 4 Result 26 4.1 User Interface 26 4.1.1 Before clicking URL 26 4.1.1.1 URL format 26 4.1.1.2 URL opening options 28 4.1.1.3 Modifications on shared URL 28 4.1.2 Browser View 29 4.1.2.1 Displayed URL 29 4.1.2.2 Security Indicators 30 4.1.2.3 TLS Identity button 32 4.1.2.4 TLS Errors 32 4.1.2.5 Anti-Phishing feature 34 4.1.2.6 Sensitive Information 35 4.2 Security Mechanism 35 4.2.1 HTTP Strict-Transport-Security 35 4.2.2 HTTP Cookies 36 4.2.3 Others 36 4.2.4 Permissions Policy 37 4.3 Device Fingerprinting Surface 38 4.3.1 User Agent String 38 4.3.2 Mobile Sensor 41 4.3.3 Injecting JavaScript 42 4.3.4 Requests accompanied with URL navigation 42 Chapter 5 Discussion 46 5.1 Limitations 46 5.2 Recommendations on in-app browsers 47 5.2.1 Users 47 5.2.2 App developers 47 Chapter 6 Conclusion 49 References 50 Appendix A — URLs used in evaluations 55	-
dc.language.iso	en	-
dc.title	應用程式內建瀏覽器的隱私與安全風險	zh_TW
dc.title	On the Privacy and Security Risks of In-app Browsers	en
dc.title.alternative	On the Privacy and Security Risks of In-app Browsers	-
dc.type	Thesis	-
dc.date.schoolyear	111-1	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	黎士瑋;黃俊穎	zh_TW
dc.contributor.oralexamcommittee	Shih-Wei Li;Chun-Ying Huang	en
dc.subject.keyword	手機應用程式內建瀏覽器,網頁視圖,客製分頁,	zh_TW
dc.subject.keyword	In-app Browsers,WebView,Custom Tabs,	en
dc.relation.page	56	-
dc.identifier.doi	10.6342/NTU202204283	-
dc.rights.note	同意授權(限校園內公開)	-
dc.date.accepted	2022-10-21	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊網路與多媒體研究所	-
顯示於系所單位：	資訊網路與多媒體研究所

文件中的檔案：

檔案	大小	格式
U0001-1810202221185500.pdf 授權僅限NTU校內IP使用（校園外請利用VPN校外連線服務）	6.81 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。