Cybersecurity Bootcamp 25: When The Web Meets Apps

Slides

Download the slides.

Android Studio

Download Android Studio.

Android WebView Security

JavaScript Code Injection

• Blog Post by Felix Krause
• Paper: "An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications" (USENIX 2018)

Cookie Stealing

• Facebook Post on deprecating WebView login
• Google Post on deprecating (WK)WebView login
• OAuth 2.0 standard

Permission Enforcement

• Paper: "The Bridge between Web Applications and Mobile Platforms is Still Broken" (SecWeb 2022)
• Paper: "Open Access Alert: Studying the Privacy Risks in Android WebView’s Web Permission Enforcement" (ASIA CCS 2025)

Android Custom Tab Security

• Paper: "Tabbed Out: Subverting the Android Custom Tab Security Model" (S&P 2024)

Cross-Context State Inference

• PoC Source Code

Bottom Bar

• PoC Source Code

Android Tapjacking

• Paper: "TapTrap: Animation-Driven Tapjacking on Android (USENIX 2025)
• Website
• TapTrap Chrome Demo
• TapTrap Camera System Dialog Bypass