Security Researcher, Cat Lover and Escape Room Aficionado!
Security Researcher, Cat Lover and Escape Room Aficionado!
22 May 2025
Congratulations to Haichuan Xu for getting his paper, Lock the Door But Keep the Window Open: Extracting App-Protected Accessibility Information from Browser-Rendered Websites accepted to the 32nd ACM Conference on Computer and Communications Security (CCS)!
Here is a synopsis of it, more to come in a future blog post with the link to the presentation and paper:
While Android apps use robust features to shield sensitive data from malicious accessibility services, the mobile website counterparts of those Android apps lack these same protections. This research reveals that even when developers secure user information within their native app, attackers can still steal that same data by targeting the service’s less-protected, browser-rendered website. To address this, the authors developed SOMBRA, an automated tool that identifies what information is protected in an Android app and then scans the corresponding mobile website to pinpoint where that data is dangerously exposed. An analysis of 294 services with SOMBRA found that sensitive information like credit card numbers and passwords, though secured in-app, was consistently leaked on their websites, highlighting a widespread threat to user privacy.