Abstract
Due to the frequent encountering of web URLs in various application scenarios (e.g., chatting and email reading), many mobile apps build their in-app browsing interfaces (IABIs) to provide a seamless user experience. Although this achieves user-friendliness by avoiding the constant switching between the subject app and the system built-in browser apps, we find that IABIs, if not well designed or customized, could result in usability security risks.
In this paper, we conduct the first empirical study on the usability (in)security of in-app browsing interfaces in both Android and iOS apps. Specifically, we collect a dataset of 25 high-profile mobile apps from five common application categories that contain IABIs, including Facebook and Gmail, and perform a systematic analysis (not end-user study though) that comprises eight carefully designed security tests and covers the entire course of opening, displaying, and navigating an in-app web page. During this process, we obtain three major security findings: (1) about 30% of the tested apps fail to provide enough URL information for users to make informed decisions on opening an URL; (2) nearly all custom IABIs have various problems in providing sufficient indicators to faithfully display an in-app page to users, whereas ten IABIs that are based on Chrome Custom Tabs and SFSafariViewController are generally secure; and (3) only a few IABIs give warnings to remind users of the risk of inputting passwords during navigating a (potentially phishing) login page.
Most developers had acknowledged our findings but their willingness and readiness to fix usability issues are rather low compared to fixing technical vulnerabilities, which is a puzzle in usability security research. Nevertheless, to help mitigate risky IABIs and guide future designs, we propose a set of secure IABI design principles.
In this paper, we conduct the first empirical study on the usability (in)security of in-app browsing interfaces in both Android and iOS apps. Specifically, we collect a dataset of 25 high-profile mobile apps from five common application categories that contain IABIs, including Facebook and Gmail, and perform a systematic analysis (not end-user study though) that comprises eight carefully designed security tests and covers the entire course of opening, displaying, and navigating an in-app web page. During this process, we obtain three major security findings: (1) about 30% of the tested apps fail to provide enough URL information for users to make informed decisions on opening an URL; (2) nearly all custom IABIs have various problems in providing sufficient indicators to faithfully display an in-app page to users, whereas ten IABIs that are based on Chrome Custom Tabs and SFSafariViewController are generally secure; and (3) only a few IABIs give warnings to remind users of the risk of inputting passwords during navigating a (potentially phishing) login page.
Most developers had acknowledged our findings but their willingness and readiness to fix usability issues are rather low compared to fixing technical vulnerabilities, which is a puzzle in usability security research. Nevertheless, to help mitigate risky IABIs and guide future designs, we propose a set of secure IABI design principles.
| Original language | English |
|---|---|
| Title of host publication | RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses |
| Editors | Leyla BILGE, Tudor DUMITRAS |
| Publisher | Association for Computing Machinery, Inc |
| Pages | 386-398 |
| Number of pages | 13 |
| ISBN (Electronic) | 9781450390583 |
| DOIs | |
| Publication status | Published - 7 Oct 2021 |
| Externally published | Yes |
| Event | 24th International Symposium on Research in Attacks, Intrusions and Defenses - San Sebastián, Spain Duration: 6 Oct 2021 → 8 Oct 2021 |
Conference
| Conference | 24th International Symposium on Research in Attacks, Intrusions and Defenses |
|---|---|
| Abbreviated title | RAID ’21 |
| Country/Territory | Spain |
| City | San Sebastián |
| Period | 6/10/21 → 8/10/21 |
Bibliographical note
Acknowledgments:We thank our shepherd, Yasemin Acar, for her comprehensive guidance and the anonymous reviewers for their valuable comments and suggestions.
Publisher Copyright:
© 2021 ACM.
Funding
This research/project is partially supported by the Singapore National Research Foundation under the National Satellite of Excellence in Mobile Systems Security and Cloud Security (NRF2018NCR-NSOE004-0001) and a direct grant (ref. no. 4055127) from The Chinese University of Hong Kong.
Keywords
- Android Security
- Usability Security
- WebView Security