Tabbed Out: Subverting the Android Custom Tab Security Model
Philipp Beer, Marco Squarcina, Lorenzo Veronese, Martina Lindorfer
IEEE Symposium on Security and Privacy 2024 · Day 3 · Continental Ballroom 5
In the realm of Android application development, the choice of how to display web content within an app carries significant security implications. While the Android WebView component offers flexibility, its inherent security weaknesses have prompted developers to seek more robust alternatives. This talk, "Tabbed Out: Subverting the Android Custom Tab Security Model," presented by Philipp Beer and his co-authors Marco Squarcina, Lorenzo Veronese, and Martina Lindorfer at IEEE S&P, meticulously dissects the security landscape of Android Custom Tabs, a component widely recommended for displaying third-party web content.
AI review
This research unearths a novel class of "cross-context leaks" in Android Custom Tabs, demonstrating six new vulnerabilities including three CVEs. It meticulously details how supposedly secure components can be subverted for stealthy state inference, URL leakage, and sophisticated phishing. The work is critical for developers and exposes significant gaps in current vendor understanding of the attack surface.