LUDroid: A Large Scale Analysis of Android - Web Hybridization

Many Android applications embed webpages via WebView components and execute JavaScript code within Android. Hybrid applications leverage dedicated APIs to load a resource and render it in WebView. Furthermore, Android objects can be shared with the JavaScript world. However, bridging the interfaces...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:Proceedings / IEEE International Working Conference on Source Code Analysis and Manipulation s. 256 - 267
Hlavní autoři: Tiwari, Abhishek, Prakash, Jyoti, Gross, Sascha, Hammer, Christian
Médium: Konferenční příspěvek
Jazyk:angličtina
Vydáno: IEEE 01.09.2019
Témata:
Android Hybrid Apps
Codes
Information Flow Control
Internet
Operating systems
Protocols
Security
Semantics
Source coding
Static analysis
Uniform resource locators
Web pages
ISSN:2470-6892
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:Many Android applications embed webpages via WebView components and execute JavaScript code within Android. Hybrid applications leverage dedicated APIs to load a resource and render it in WebView. Furthermore, Android objects can be shared with the JavaScript world. However, bridging the interfaces of the Android and JavaScript world might also incur severe security threats: Potentially untrusted webpages and their JavaScript might interfere with the Android environment and its access to native features. No general analysis is currently available to assess the implications of such hybrid apps bridging the two worlds. To understand the semantics and effects of hybrid apps, we perform a large-scale study on the usage of the hybridization APIs in the wild. We analyze and categorize the parameters to hybridization APIs for 7,500 randomly selected applications from the Google Playstore. Our results advance the general understanding of hybrid applications, as well as implications for potential program analyses, and the current security situation: We discover 6,375 flows of sensitive data from Android to JavaScript, out of which 82% could flow to potentially untrustworthy code. Our analysis identified 365 web pages embedding vulnerabilities and we exemplarily exploit them. Additionally, we discover 653 applications in which potentially untrusted Javascript code may interfere with (trusted) Android objects.
ISSN:2470-6892
DOI:10.1109/SCAM.2019.00036