{"id":"https://openalex.org/W4416549474","doi":"https://doi.org/10.1145/3719027.3765215","title":"Deep Dive into In-app Browsers: Uncovering Hidden Pitfalls in Certificate Validation","display_name":"Deep Dive into In-app Browsers: Uncovering Hidden Pitfalls in Certificate Validation","publication_year":2025,"publication_date":"2025-11-19","ids":{"openalex":"https://openalex.org/W4416549474","doi":"https://doi.org/10.1145/3719027.3765215"},"language":null,"primary_location":{"id":"doi:10.1145/3719027.3765215","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3719027.3765215","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5089897667","display_name":"W. Lee","orcid":"https://orcid.org/0000-0002-9984-6879"},"institutions":[{"id":"https://openalex.org/I197347611","display_name":"Korea University","ror":"https://ror.org/047dqcg40","country_code":"KR","type":"education","lineage":["https://openalex.org/I197347611"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Woonghee Lee","raw_affiliation_strings":["Computer Science and Engineering, Korea University, Seoul, Republic of Korea"],"raw_orcid":"https://orcid.org/0000-0002-9984-6879","affiliations":[{"raw_affiliation_string":"Computer Science and Engineering, Korea University, Seoul, Republic of Korea","institution_ids":["https://openalex.org/I197347611"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5059902523","display_name":"Junbeom Hur","orcid":"https://orcid.org/0000-0002-4823-4194"},"institutions":[{"id":"https://openalex.org/I197347611","display_name":"Korea University","ror":"https://ror.org/047dqcg40","country_code":"KR","type":"education","lineage":["https://openalex.org/I197347611"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Junbeom Hur","raw_affiliation_strings":["Computer Science and Engineering, Korea University, Seoul, Republic of Korea"],"raw_orcid":"https://orcid.org/0000-0002-4823-4194","affiliations":[{"raw_affiliation_string":"Computer Science and Engineering, Korea University, Seoul, Republic of Korea","institution_ids":["https://openalex.org/I197347611"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5058681644","display_name":"Hyunsoo Kwon","orcid":"https://orcid.org/0000-0002-6728-0698"},"institutions":[{"id":"https://openalex.org/I191879574","display_name":"Inha University","ror":"https://ror.org/01easw929","country_code":"KR","type":"education","lineage":["https://openalex.org/I191879574"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Hyunsoo Kwon","raw_affiliation_strings":["Computer Engineering, Inha University, Incheon, Republic of Korea"],"raw_orcid":"https://orcid.org/0000-0002-6728-0698","affiliations":[{"raw_affiliation_string":"Computer Engineering, Inha University, Incheon, Republic of Korea","institution_ids":["https://openalex.org/I191879574"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.9443,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.80410717,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":95,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"2997","last_page":"3011"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.39719998836517334,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.39719998836517334,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.19009999930858612,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.15320000052452087,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/certificate","display_name":"Certificate","score":0.7109000086784363},{"id":"https://openalex.org/keywords/android","display_name":"Android (operating system)","score":0.6668000221252441},{"id":"https://openalex.org/keywords/authorization-certificate","display_name":"Authorization certificate","score":0.5924000144004822},{"id":"https://openalex.org/keywords/root-certificate","display_name":"Root certificate","score":0.5648999810218811},{"id":"https://openalex.org/keywords/public-key-certificate","display_name":"Public key certificate","score":0.4185999929904938},{"id":"https://openalex.org/keywords/certificate-authority","display_name":"Certificate authority","score":0.3783999979496002}],"concepts":[{"id":"https://openalex.org/C96865113","wikidata":"https://www.wikidata.org/wiki/Q2946816","display_name":"Certificate","level":2,"score":0.7109000086784363},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6814000010490417},{"id":"https://openalex.org/C557433098","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android (operating system)","level":2,"score":0.6668000221252441},{"id":"https://openalex.org/C175093008","wikidata":"https://www.wikidata.org/wiki/Q758251","display_name":"Authorization certificate","level":5,"score":0.5924000144004822},{"id":"https://openalex.org/C62057728","wikidata":"https://www.wikidata.org/wiki/Q7366568","display_name":"Root certificate","level":5,"score":0.5648999810218811},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.49050000309944153},{"id":"https://openalex.org/C167529545","wikidata":"https://www.wikidata.org/wiki/Q274758","display_name":"Public key certificate","level":4,"score":0.4185999929904938},{"id":"https://openalex.org/C93636275","wikidata":"https://www.wikidata.org/wiki/Q196776","display_name":"Certificate authority","level":4,"score":0.3783999979496002},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.33629998564720154},{"id":"https://openalex.org/C147296133","wikidata":"https://www.wikidata.org/wiki/Q196765","display_name":"Revocation list","level":5,"score":0.33250001072883606},{"id":"https://openalex.org/C186967261","wikidata":"https://www.wikidata.org/wiki/Q5082128","display_name":"Mobile device","level":2,"score":0.3321000039577484},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.26840001344680786}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3719027.3765215","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3719027.3765215","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G389387192","display_name":null,"funder_award_id":"No.73799-1","funder_id":"https://openalex.org/F4320321370","funder_display_name":"Inha University"}],"funders":[{"id":"https://openalex.org/F4320321370","display_name":"Inha University","ror":"https://ror.org/01easw929"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":18,"referenced_works":["https://openalex.org/W36948825","https://openalex.org/W1976919795","https://openalex.org/W2104899073","https://openalex.org/W2167661907","https://openalex.org/W2299781188","https://openalex.org/W2650293344","https://openalex.org/W2701082322","https://openalex.org/W2767162229","https://openalex.org/W2794584163","https://openalex.org/W2798939599","https://openalex.org/W2964540713","https://openalex.org/W2980273018","https://openalex.org/W3172154247","https://openalex.org/W3205884146","https://openalex.org/W3212377246","https://openalex.org/W4233819588","https://openalex.org/W4384155689","https://openalex.org/W4400108864"],"related_works":[],"abstract_inverted_index":{"While":[0],"providing":[1,253],"a":[2,94,224,245],"seamless":[3],"user":[4],"experience":[5],"by":[6,252],"enabling":[7],"web":[8],"access":[9],"within":[10],"the":[11,41,164,172,209],"app,":[12],"in-app":[13,46],"browsers":[14,158],"raise":[15],"security":[16,247],"concerns,":[17],"particularly":[18,85],"in":[19,167,204],"certificate":[20,42,60,65,112,123,152,174,215,258],"validation,":[21],"which":[22,83,177,207],"can":[23],"leave":[24],"users":[25],"vulnerable":[26],"to":[27,68,120,211,233,255],"Man-In-The-Middle":[28],"(MITM)":[29],"or":[30],"phishing":[31],"attacks":[32],"unless":[33],"appropriately":[34],"implemented.In":[35],"this":[36],"paper,":[37],"we":[38,92,193,222,250],"systematically":[39],"evaluated":[40],"validation":[43,175,203,259],"mechanisms":[44],"of":[45,144,214],"browsers,":[47],"also":[48],"known":[49],"as":[50,132,134,187,244],"WebView,":[51,206],"focusing":[52],"on":[53,87,171],"how":[54],"effectively":[55],"they":[56],"comply":[57],"with":[58],"X.509":[59],"standards":[61],"and":[62,70,77,90,104,109,117,129,136,147,159,181,190,230],"support":[63,183],"advanced":[64,122],"extensions":[66,185],"related":[67],"revocation":[69],"Certificate":[71],"Transparency":[72],"(CT).":[73],"To":[74,217],"ensure":[75],"reproducibility":[76],"enable":[78],"platform-specific":[79],"trust":[80],"anchor":[81],"control":[82],"is":[84],"challenging":[86],"Android":[88,105,128,139,168,205],"14":[89],"later,":[91],"developed":[93],"unified":[95],"framework":[96],"called":[97],"FAITH":[98,108],"using":[99],"physical":[100],"devices":[101],"for":[102,184],"iOS":[103,130,160],"emulators.":[106],"Using":[107],"115":[110],"crafted":[111],"chains\u2014including":[113],"87":[114],"non-compliant":[115,145,149],"chains":[116,146],"28":[118],"designed":[119],"test":[121],"extensions\u2014we":[124],"tested":[125],"20":[126],"popular":[127],"apps,":[131],"well":[133],"desktop":[135],"mobile":[137],"browsers.":[138],"WebView":[140],"apps":[141],"accepted":[142],"77.0%":[143],"all":[148],"intermediate":[150,197],"CA":[151,198,226],"tests,":[153],"significantly":[154],"higher":[155],"than":[156],"mainstream":[157],"apps.":[161],"We":[162],"identified":[163],"root":[165],"cause":[166],"WebView's":[169,257],"reliance":[170],"system-level":[173],"handler,":[176],"performs":[178],"minimal":[179],"checks":[180],"lacks":[182],"such":[186],"OCSP":[188],"Must-Staple":[189],"Precertificate.":[191],"Additionally,":[192],"found":[194],"that":[195],"cached":[196],"certificates":[199],"are":[200],"reused":[201],"during":[202],"exposes":[208],"process":[210],"unintended":[212],"bypass":[213],"checks.":[216],"demonstrate":[218],"its":[219],"real-world":[220],"impact,":[221],"constructed":[223],"detailed":[225],"caching":[227],"attack":[228],"scenario,":[229],"disclosed":[231],"it":[232],"responsible":[234],"vendors":[235],"including":[236],"Google.":[237],"The":[238],"reported":[239],"bug":[240],"was":[241],"subsequently":[242],"acknowledged":[243],"valid":[246],"vulnerability.":[248],"Finally,":[249],"conclude":[251],"recommendations":[254],"improve":[256],"behavior.":[260]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2026-07-01T08:55:40.977307","created_date":"2025-11-23T00:00:00"}
