LUDroid: A Large Scale Analysis of Android - Web Hybridization
Many Android applications embed webpages via WebView components and execute JavaScript code within Android. Hybrid applications leverage dedicated APIs to load a resource and render it in WebView. Furthermore, Android objects can be shared with the JavaScript world. However, bridging the interfaces...
Uložené v:
| Vydané v: | Proceedings / IEEE International Working Conference on Source Code Analysis and Manipulation s. 256 - 267 |
|---|---|
| Hlavní autori: | , , , |
| Médium: | Konferenčný príspevok.. |
| Jazyk: | English |
| Vydavateľské údaje: |
IEEE
01.09.2019
|
| Predmet: | |
| ISSN: | 2470-6892 |
| On-line prístup: | Získať plný text |
| Tagy: |
Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
|
| Abstract | Many Android applications embed webpages via WebView components and execute JavaScript code within Android. Hybrid applications leverage dedicated APIs to load a resource and render it in WebView. Furthermore, Android objects can be shared with the JavaScript world. However, bridging the interfaces of the Android and JavaScript world might also incur severe security threats: Potentially untrusted webpages and their JavaScript might interfere with the Android environment and its access to native features. No general analysis is currently available to assess the implications of such hybrid apps bridging the two worlds. To understand the semantics and effects of hybrid apps, we perform a large-scale study on the usage of the hybridization APIs in the wild. We analyze and categorize the parameters to hybridization APIs for 7,500 randomly selected applications from the Google Playstore. Our results advance the general understanding of hybrid applications, as well as implications for potential program analyses, and the current security situation: We discover 6,375 flows of sensitive data from Android to JavaScript, out of which 82% could flow to potentially untrustworthy code. Our analysis identified 365 web pages embedding vulnerabilities and we exemplarily exploit them. Additionally, we discover 653 applications in which potentially untrusted Javascript code may interfere with (trusted) Android objects. |
|---|---|
| AbstractList | Many Android applications embed webpages via WebView components and execute JavaScript code within Android. Hybrid applications leverage dedicated APIs to load a resource and render it in WebView. Furthermore, Android objects can be shared with the JavaScript world. However, bridging the interfaces of the Android and JavaScript world might also incur severe security threats: Potentially untrusted webpages and their JavaScript might interfere with the Android environment and its access to native features. No general analysis is currently available to assess the implications of such hybrid apps bridging the two worlds. To understand the semantics and effects of hybrid apps, we perform a large-scale study on the usage of the hybridization APIs in the wild. We analyze and categorize the parameters to hybridization APIs for 7,500 randomly selected applications from the Google Playstore. Our results advance the general understanding of hybrid applications, as well as implications for potential program analyses, and the current security situation: We discover 6,375 flows of sensitive data from Android to JavaScript, out of which 82% could flow to potentially untrustworthy code. Our analysis identified 365 web pages embedding vulnerabilities and we exemplarily exploit them. Additionally, we discover 653 applications in which potentially untrusted Javascript code may interfere with (trusted) Android objects. |
| Author | Tiwari, Abhishek Prakash, Jyoti Hammer, Christian Gross, Sascha |
| Author_xml | – sequence: 1 givenname: Abhishek surname: Tiwari fullname: Tiwari, Abhishek email: tiwari@uni-potsdam.de organization: Software Engineering Group, University of Potsdam, Potsdam, Germany – sequence: 2 givenname: Jyoti surname: Prakash fullname: Prakash, Jyoti email: jyoti@uni-potsdam.de organization: Software Engineering Group, University of Potsdam, Potsdam, Germany – sequence: 3 givenname: Sascha surname: Gross fullname: Gross, Sascha email: saschagross@uni-potsdam.de organization: Software Engineering Group, University of Potsdam, Potsdam, Germany – sequence: 4 givenname: Christian surname: Hammer fullname: Hammer, Christian email: chrhammer@uni-potsdam.de organization: Software Engineering Group, University of Potsdam, Potsdam, Germany |
| BookMark | eNotjLtOw0AQAA8EEnGgpqC5H7DZ3bvcgwLJcoAgGVGEiDI622t0yNjITmO-HhBUM8VoEnHSDz0LcYmQIYK_3hb5U0aAPgMAZY5EgpYcaq8sHosFaQupcZ7ORDJN7wAGjfYLcVvu1uMQmxuZyzKMbyy3dehY5n3o5ilOcmh_vPlNZCpfuZKbuRpjE7_CIQ79uThtQzfxxT-XYnd_91Js0vL54bHIyzQSqEOqqgAajHbofUOhUrUP9YqMC23r2ay04gqByDQ1sXZMNdXeGvRBWcYW1VJc_X0jM-8_x_gRxnnvvAKnrPoGl2pHaw |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/SCAM.2019.00036 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE/IET Electronic Library IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE/IET Electronic Library url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 1728149371 9781728149370 |
| EISSN | 2470-6892 |
| EndPage | 267 |
| ExternalDocumentID | 8930837 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IF 6IL 6IN AAJGR AAWTH ABLEC ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK OCL RIE RIL |
| ID | FETCH-LOGICAL-i203t-3ba040648199d2ab3c9ac5268aff9e6543eb10226dc2e48e2c2c97619a37e1f13 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 8 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000529322000027&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 06 17:53:24 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i203t-3ba040648199d2ab3c9ac5268aff9e6543eb10226dc2e48e2c2c97619a37e1f13 |
| PageCount | 12 |
| ParticipantIDs | ieee_primary_8930837 |
| PublicationCentury | 2000 |
| PublicationDate | 2019-Sep |
| PublicationDateYYYYMMDD | 2019-09-01 |
| PublicationDate_xml | – month: 09 year: 2019 text: 2019-Sep |
| PublicationDecade | 2010 |
| PublicationTitle | Proceedings / IEEE International Working Conference on Source Code Analysis and Manipulation |
| PublicationTitleAbbrev | SCAM |
| PublicationYear | 2019 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0061649 |
| Score | 1.7738959 |
| Snippet | Many Android applications embed webpages via WebView components and execute JavaScript code within Android. Hybrid applications leverage dedicated APIs to load... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 256 |
| SubjectTerms | Android Hybrid Apps Codes Information Flow Control Internet Operating systems Protocols Security Semantics Source coding Static analysis Uniform resource locators Web pages |
| Title | LUDroid: A Large Scale Analysis of Android - Web Hybridization |
| URI | https://ieeexplore.ieee.org/document/8930837 |
| WOSCitedRecordID | wos000529322000027&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NSwMxEB3a4sFT1Vb8JgePxu5Hmmw8CKVaeqiloMXeSpKdQC9dqa3gvzez3aoHL95CsrAwIfOG5L03ANeRl4TDXW7RSi6kiXmGJuFC-UQYejnqlkLhkRqPs9lMT2pw862FQcSSfIa3NCzf8vPCbeiqrBOwNVQMqg51peRWq7XLujKU_bqy7okj3Xnu956IuEVulBH5L__qnVJCx6D5v58eQPtHg8cm3-hyCDVcHkFz14SBVWeyBfej6cOqWOR3rMdGROsOSyHps53bCCs8I9Zi-IRx9oqWDT9JpVXpL9swHTy-9Ie8aorAF0mUrnlqTTh3UgQk13libOq0ceTZYrzXSErRkH0DMMvcJSgyTFziNN1VmFRh7OP0GBrLYoknwKzwRqILGG-siHJnlIkx4LUNVaEwmTyFFoVj_rb1vZhXkTj7e_oc9ineW_7VBTTWqw1ewp77WC_eV1flZn0BuBiUgQ |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV3PS8MwFH7MKehp6ib-NgePRts0S1sPwpiOid0YuOFuI0lfYZdV5ib435vXddODF28hKRReyPseyfd9D-DayxThcJMbNIpLpX0eoRZchpmQml6OmoVQOAn7_Wg8jgcVuNloYRCxIJ_hLQ2Lt_w0t0u6Krtz2OoqhnALtptSCm-l1lrnXeUK_7g07_G9-O613eoRdYv8KD1yYP7VPaUAj07tf7_dh8aPCo8NNvhyABWcHUJt3YaBlaeyDg_J6HGeT9N71mIJEbvdkkv7bO03wvKMEW_RfcI4e0PDul-k0yoVmA0YdZ6G7S4v2yLwqfCCBQ-MdidPSYflcSq0CWysLbm26CyLkbSiLv86aFapFSgjFFbYmG4rdBCin_nBEVRn-QyPgRmZaYXWobw20kutDrWPDrGNqwuljtQJ1Ckck_eV88WkjMTp39NXsNsd9pJJ8tx_OYM9iv2KjXUO1cV8iRewYz8X04_5ZbFx36OPl8g |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=proceeding&rft.title=Proceedings+%2F+IEEE+International+Working+Conference+on+Source+Code+Analysis+and+Manipulation&rft.atitle=LUDroid%3A+A+Large+Scale+Analysis+of+Android+-+Web+Hybridization&rft.au=Tiwari%2C+Abhishek&rft.au=Prakash%2C+Jyoti&rft.au=Gross%2C+Sascha&rft.au=Hammer%2C+Christian&rft.date=2019-09-01&rft.pub=IEEE&rft.eissn=2470-6892&rft.spage=256&rft.epage=267&rft_id=info:doi/10.1109%2FSCAM.2019.00036&rft.externalDocID=8930837 |