Draco: A system for uniform and fine-grained access control for web code on Android

Güliz Seray Tuncay, Soteris Demetriou, Carl A. Gunter

Research output: Chapter in Book/Report/Conference proceedingConference contribution


In-app embedded browsers are commonly used by app developers to display web content without having to redirect the user to heavyweight web browsers. Just like the conventional web browsers, embedded browsers can allow the execution of web code. In addition, they provide mechanisms (viz., JavaScript bridges) to give web code access to internal app code that might implement critical functionalities and expose device resources. This is intrinsically dangerous since there is currently no means for app developers to perform origin-based access control on the JavaScript bridges, and any web code running in an embedded browser is free to use all the exposed app and device resources. Previous work that addresses this problem provided access control solutions that work only for apps that are built using hybrid frameworks. Additionally, these solutions focused on protecting only the parts of JavaScript bridges that expose permissions-protected resources. In this work, our goal is to provide a generic solution that works for all apps that utilize embedded web browsers and protects all channels that give access to internal app and device resources. Towards realizing this goal, we built Draco, a uniform and fine-grained access control framework for web code running on Android embedded browsers (viz., WebView). Draco provides a declarative policy language that allows developers to define policies to specify the desired access characteristics of web origins in a fine-grained fashion, and a runtime system that dynamically enforces the policies. In contrast with previous work, we do not assume any modifications to the Android operating system, and implement Draco in the Chromium Android System WebView app to enable seamless deployment. Our evaluation of the the Draco runtime system shows that Draco incurs negligible overhead, which is in the order of microseconds.

Original languageEnglish (US)
Title of host publicationCCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Number of pages12
ISBN (Electronic)9781450341394
StatePublished - Oct 24 2016
Event23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Austria
Duration: Oct 24 2016Oct 28 2016

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221


Other23rd ACM Conference on Computer and Communications Security, CCS 2016


  • Access control
  • Android
  • Exploitation
  • HTML5
  • JavaScript
  • JavaScript bridges
  • Origin
  • WebView

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications


Dive into the research topics of 'Draco: A system for uniform and fine-grained access control for web code on Android'. Together they form a unique fingerprint.

Cite this