On the usability (in)security of in-app browsing interfaces in mobile apps

Author

Zicheng ZHANG, Singapore Management UniversityFollow
Daoyuan WU
Lixiang LI
Debin GAO, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

10-2021

Abstract

Due to the frequent encountering of web URLs in various application scenarios (e.g., chatting and email reading), many mobile apps build their in-app browsing interfaces (IABIs) to provide a seamless user experience. Although this achieves user-friendliness by avoiding the constant switching between the subject app and the system built-in browser apps, we find that IABIs, if not well designed or customized, could result in usability security risks. In this paper, we conduct the first empirical study on the usability (in)security of in-app browsing interfaces in both Android and iOS apps. Specifically, we collect a dataset of 25 high-profile mobile apps from five common application categories that contain IABIs, including Facebook and Gmail, and perform a systematic analysis (not end-user study though) that comprises eight carefully designed security tests and covers the entire course of opening, displaying, and navigating an in-app web page. During this process, we obtain three major security findings: (1) about 30% of the tested apps fail to provide enough URL information for users to make informed decisions on opening an URL; (2) nearly all custom IABIs have various problems in providing sufficient indicators to faithfully display an in-app page to users, whereas ten IABIs that are based on Chrome Custom Tabs and SFSafariViewController are generally secure; and (3) only a few IABIs give warnings to remind users of the risk of inputting passwords during navigating a (potentially phishing) login page. Most developers had acknowledged our findings but their willingness and readiness to fix usability issues are rather low compared to fixing technical vulnerabilities, which is a puzzle in usability security research. Nevertheless, to help mitigate risky IABIs and guide future designs, we propose a set of secure IABI design principles.

Keywords

Android Security, Usability Security, WebView Security

Discipline

Information Security | Software Engineering

Research Areas

Cybersecurity

Publication

The 24th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2021), Sebastian, Spain, October 6-8

First Page

386

Last Page

398

Identifier

10.1145/3471621.3471625

Publisher

ACM

City or Country

San Sebastian, Spain

Citation

ZHANG, Zicheng; WU, Daoyuan; LI, Lixiang; and GAO, Debin. On the usability (in)security of in-app browsing interfaces in mobile apps. (2021). The 24th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2021), Sebastian, Spain, October 6-8. 386-398.
Available at: https://ink.library.smu.edu.sg/sis_research/6704

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.