Cross-Boundary Mobile Tracking: Exploring Java-to-JavaScript Information Diffusion in WebViews
Sohom Datta
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Web Security
This talk reveals a significant and largely undetected privacy abuse vector in the Android ecosystem: the exploitation of **WebView boundaries** to leak sensitive device information from Java/Kotlin app code into dynamically loaded JavaScript, which then exfiltrates it to third-party tracking servers. Researchers from NC State, University of Illinois Chicago, and Technical University of Crete built **WebView Tracer**, an open-source dynamic analysis system, and used it to analyze over 10,000 Google Play Store apps. Their findings are alarming -- **90% of apps that injected sensitive data into WebViews also leaked it to external servers**, and popular games with over 100 million installs were among the worst offenders.
AI review
A rigorous, large-scale empirical study proving that Android WebViews are being systematically abused to exfiltrate sensitive user data through a channel that bypasses both Google Play Protect and state-of-the-art tracking detectors. Two years of Visible V8 engineering, 10,000 apps analyzed, and concrete evidence that 90% of data-injecting apps leak to external servers. This is real measurement science with actionable findings.