Deep Dive into In-app Browsers: Uncovering Hidden Pitfalls in Certificate Validation

While providing a seamless user experience by enabling web access within the app, in-app browsers raise security concerns, particularly in certificate validation, which can leave users vulnerable to Man-In-The-Middle (MITM) or phishing attacks unless appropriately implemented. In this paper, we systematically evaluated the certificate validation mechanisms of in-app browsers, also known as WebView, focusing on how effectively they comply with X.509 certificate standards and support advanced certificate extensions related to revocation and Certificate Transparency (CT). To ensure reproducibility and enable platform-specific trust anchor control which is particularly challenging on Android 14 and later, we developed a unified framework called FAITH using physical devices for iOS and Android emulators. Using FAITH and 115 crafted certificate chains-including 87 non-compliant chains and 28 designed to test advanced certificate extensions-we tested 20 popular Android and iOS apps, as well as desktop and mobile browsers. Android WebView apps accepted 77.0% of non-compliant chains and all non-compliant intermediate CA certificate tests, significantly higher than mainstream browsers and iOS apps. We identified the root cause in Android WebView's reliance on the system-level certificate validation handler, which performs minimal checks and lacks support for extensions such as OCSP Must-Staple and Precertificate. Additionally, we found that cached intermediate CA certificates are reused during validation in Android WebView, which exposes the process to unintended bypass of certificate checks. To demonstrate its real-world impact, we constructed a detailed CA caching attack scenario, and disclosed it to responsible vendors including Google. The reported bug was subsequently acknowledged as a valid security vulnerability. Finally, we conclude by providing recommendations to improve WebView's certificate validation behavior.