ABSTRACT
HTML-5 hybrid apps have the potential to dominate the mobile and IoTs market as hybrid platforms are providing a promising development choice. This approach "wraps" standard web code (HTML, Javascript, and CSS) into a thin native layer, enabling the same code base to run on several platforms. This approach also provides a mechanism to access device native sensors, such as camera and geolocation, through Javascript code. Apache Cordova is an open source library that is a common component in many hybrid platforms, such as PhoneGap and IBM Worklight. Yet, its configuration model suffers several security limitations including a coarse-grained access control model, risky defaults, and for many developers, a non-trivial configuration process. Hybrid app development is an intricate task as is, not to mention configuring these apps securely. Given the increased popularity of the approach itself and the proven tendency of developers to use platform-provided default settings, this paper presents a novel approach to automatically generate configurations that are more aligned to the app requirements, more granular, and more conformant with Least Privilege principle. We argue that having aligned configurations forms the first line of defense against attacks similar to injection attacks. Such attacks could have been voided if the app configurations were more granular and tailored. Our approach generates initial configuration settings based on modeling app behavior. The model generates twofold policies, one centered around APIs access and another around controlling app states transition. We have successfully instrumented Cordova library to implement our approach. We have tested the instrumented version, and our experiments demonstrate that the instrumented version is a practical and performant alternative.
- Apache cordova. https://cordova.apache.org.Google Scholar
- Upgrading android. https://cordova.apache.org/docs/en/4.0.0/guide/platforms/android/upgrade.html.Google Scholar
- Whitelist documentation. https://github.com/apache/cordova-plugin-whitelist.Google Scholar
- Suyesh Amatya and Arianit Kurti. Cross-platform mobile development: Challenges and opportunities. In ICT Innovations 2013.Google Scholar
- AppBrain. Android statistics /cordova. http://www.appbrain.com/stats/libraries/details/phonegap/phonegap-apache-cordova.Google Scholar
- Achim D Brucker and Michael Herzberg. On the static analysis of hybrid mobile apps: A report on the state of apache cordova nation. In International Symposium on Engineering Secure Software and Systems (ESSoS). Springer-Verlag. Google ScholarDigital Library
- Achim D. Brucker and Michael Herzberg. On the static analysis of hybrid mobile apps: A report on the state of apache cordova nation. In International Symposium on Engineering Secure Software and Systems (ESSoS). Google ScholarDigital Library
- OWASP (c). Owasp top 10. https://www.owasp.org/index.php/Top10#tab=Main.Google Scholar
- Yen-Lin Chen, Hahn-Ming Lee, Albert B Jeng, and Te-En Wei. Droidcia: A novel detection method of code injection attacks on html5-based mobile apps. In Trustcom/BigDataSE/ISPA, 2015 IEEE. Google ScholarDigital Library
- Mitre Corporation. Apache cordova security vulnerabilities. https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-27153/Apache-Cordova.html.Google Scholar
- Marco Cova, Christopher Kruegel, and Giovanni Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th international conference on World wide web. Google ScholarDigital Library
- Matt Cutts. Seo mistakes: sneaky javascript. https://www.mattcutts.com/blog/seo-mistakes-sneaky-javascript/.Google Scholar
- Gianluca Dini, Fabio Martinelli, Andrea Saracino, and Daniele Sgandurra. Probabilistic contract compliance for mobile applications. In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on. Google ScholarDigital Library
- Apache Cordova Documentation. Whitelist guide. http://cordova.apache.org/docs/en/4.0.0/guide_appdev_whitelist_index.md.html.Google Scholar
- Nicola Dragoni, Fabio Massacci, Katsiaryna Naliuka, and Ida Siahaan. Security-by-contract: Toward a semantics for digital signatures on mobile code. In European Public Key Infrastructure Workshop. Google ScholarDigital Library
- Apache Software Foundation. Apache software foundation. https://projects.apache.org/project.html?cordova.Google Scholar
- Gartner. Gartner recommends a hybrid approach for business-to-employee mobile apps. http://www.gartner.com/newsroom/id/2429815.Google Scholar
- Gartner. Gartner says by 2016, more than 50 percent of mobile apps deployed will be hybrid. http://www.gartner.com/newsroom/id/2324917.Google Scholar
- Martin Georgiev, Suman Jana, and Vitaly Shmatikov. Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In NDSS symposium.Google Scholar
- GoogleDevelopers. Making ajax applications crawable. https://developers.google.com/webmasters/ajax-crawling/docs/getting-started.Google Scholar
- Matthew L Hale and Seth Hanson. A testbed and process for analyzing attack vectors and vulnerabilities in hybrid mobile apps connected to restful web services. In Services (SERVICES), 2015 IEEE World Congress on. Google ScholarDigital Library
- Behnaz Hassanshahi, Yaoqi Jia, Roland HC Yap, Prateek Saxena, and Zhenkai Liang. Web-to-application injection attacks on android: Characterization and detection. In Computer Security--ESORICS 2015.Google Scholar
- David Jaramillo, Viney Ugave, Robert Smart, and Sudeep Pasricha. Secure cross-platform hybrid mobile enterprise voice agent. In Southeastcon 2014, Ieee.Google Scholar
- Xing Jin, Xuchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, and Gautam Nagesh Peri. Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
- Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang Du. Code injection attacks on html5-based mobile apps.Google Scholar
- Xing Jin, Lusha Wang, Tongbo Luo, and Wenliang Du. Fine-grained access control for html5-based mobile applications in android. In Information Security. Google ScholarDigital Library
- Xing Jin, Lusha Wang, Tongbo Luo, and Wenliang Du. Fine-grained access control for html5-based mobile applications in android. In Proceedings of the 16th Information Security Conference (ISC). Google ScholarDigital Library
- Jack Madden. Why html5 apps are ideal for enterprise mobility. http://searchmobilecomputing.techtarget.com/feature/Why-HTML5-apps-are-ideal-for-enterprise-mobility.Google Scholar
- Federico Maggi, William Robertson, Christopher Kruegel, and Giovanni Vigna. Protecting a moving target: Addressing web application concept drift. In Recent Advances in Intrusion Detection. Google ScholarDigital Library
- Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM conference on Computer and communications security. Google ScholarDigital Library
- Parse. Parse. https://www.parse.com.Google Scholar
- D. Pitt. Mobile application architecture with html5 and javascript. http://www.infoq.com/articles/mobile-architecture-html5-javascript.Google Scholar
- Sanae Rosen, Zhiyun Qian, and Z Morely Mao. Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users. In Proceedings of the third ACM conference on Data and application security and privacy. Google ScholarDigital Library
- Mohamed Shehab and Abeer AlJarrah. Reducing attack surface on cordova-based hybrid mobile apps. In Proceedings of the 2nd International Workshop on Mobile Development Lifecycle. Google ScholarDigital Library
- Kapil Singh. Practical context-aware permission control for hybrid mobile applications. In Research in Attacks, Intrusions, and Defenses. Google ScholarDigital Library
- Kundan Singh and John Buford. Developing webrtc-based team apps with a cross-platform mobile framework. 2016.Google Scholar
- Gertner Susan Moore. Gartner says demand for enterprise mobile apps will outstrip available development capacity five to one. http://www.gartner.com/newsroom/id/3076817.Google Scholar
- Symantic. Web attack: Malicious javascript redirection 2. http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28341.Google Scholar
- W3C. Hash uris. http://www.w3.org/blog/2011/05/hash-uris/.Google Scholar
- W3C. State chart xml (scxml): State machine notation for control abstraction. https://www.w3.org/TR/scxml/.Google Scholar
- Spyros Xanthopoulos and Stelios Xinogalos. A comparative analysis of cross-platform development approaches for mobile applications. In Proceedings of the 6th Balkan Conference in Informatics. Google ScholarDigital Library
- Jing Xie, Heather Richter Lipford, and Bill Chu. Why do programmers make security errors? In Visual Languages and Human-Centric Computing (VL/HCC), 2011 IEEE Symposium on, pages 161--164. IEEE, 2011.Google Scholar
Index Terms
- The Demon is in the Configuration: Revisiting Hybrid Mobile Apps Configuration Model
Recommendations
Security Analysis of Cordova Applications in Google Play
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityMobile Cross-Platform Tools (CPTs) provide an alternative to native application development that allows mobile app developers to drastically reduce the development time and cost when targeting multiple platforms. They allow sharing a significant part of ...
App Development for All!: Learn the Hybrid Development Model and How Scaffolded Projects can Bring App Development to your Classes (Abstract Only)
SIGCSE '16: Proceedings of the 47th ACM Technical Symposium on Computing Science EducationIn this workshop, participants will learn how to build custom, data-driven mobile apps using the hybrid model and how to scaffold app development projects to focus students' efforts on specific lesson, unit or assignment goals. It is intended for post-...
On the Static Analysis of Hybrid Mobile Apps
ESSoS 2016: Proceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 9639Developing mobile applications is a challenging business: developers need to support multiple platforms and, at the same time, need to cope with limited resources, as the revenue generated by an average app is rather small. This results in an increasing ...
Comments