Skip to main content
SpringerLink
Log in

Closer Look at Mobile Hybrid Apps Configurations: Statistics and Implications

  • Conference paper
  • First Online:
Book cover Advances in Information and Communication (FICC 2019)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 70))

Included in the following conference series:

Abstract

We are witnessing a transition in the development of mobile operating systems from native custom architectures to web-based cross-platforms. There are several security implications of bringing the web code to smart-phones. In this paper, we present a large-scale study that is centered on mobile hybrid apps configurations and permissions usage patterns. We study the platform configuration model and its’ evolution. We find that while the platform is adding more security features, there is a demonstrable misconfiguration trend. The result of analyzing a set of 2111 hybrid apps uncovered several alarming observations. We have found that 80% of the apps are vulnerable to injection attacks because of an absence or a poor usage of the security model provided by the platform. We also detect a trend of keeping risky default configuration settings which results in having over-privileged apps that may expose device APIs to malicious code. On the system side, we realize that most of the apps have access to the platform’s INTERNET and GEOLOCATION permissions. Google messaging is also recognized as the most widely used third-party service. In addition, we detect suspicious set of domains including spying, payment, Adware, and military that are white-listed. This study has the following contributions: (1) Systematizing our knowledge about mobile hybrid apps configuration model. (2) Providing an evidence of configuration misuse and developers tendency to use defaults. (3) Discussing possible reasons of misconfiguration practices and suggesting recommendations that address both the platform and the developer.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://techcrunch.com/2015/06/02/6-1b-smartphone-users-globally-by-2020-overtaking-basic-fixed-phone-subscriptions/.

  2. 2.

    https://www.smashingmagazine.com/2017/02/current-trends-future-prospects-mobile-app-market/.

  3. 3.

    https://www.g2crowd.com/categories/mobile-development-platforms.

  4. 4.

    http://www.business2community.com/mobile-apps/2017-mobile-app-market-statistics-trends-analysis-01750346#HyFxJzqDdhgIGqkp.97.

  5. 5.

    http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/.

  6. 6.

    https://saucelabs.com/blog/hybrid-apps-and-the-future-of-mobile-computing.

  7. 7.

    https://www.pixelcrayons.com/blog/mobile/cross-platform-mobile-development-trends-tactics-and-tools/.

  8. 8.

    http://docs.phonegap.com/phonegap-build/configuring/.

  9. 9.

    https://cordova.apache.org/docs/en/latest/confignref/index.html/.

  10. 10.

    https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/.

  11. 11.

    https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/.

  12. 12.

    https://cordova.apache.org/docs/en/3.5.0/guide/appdev/security/index.html.

  13. 13.

    https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/.

  14. 14.

    https://developer.android.com/training/permissions/requesting.html.

References

  1. Jin, X., Luo, T., Tsui, D.G., Du, W.: Code injection attacks on html5-based mobile apps (2014). arXiv preprint arXiv:1410.7756

  2. Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G.N.: Code injection attacks on html5-based mobile apps: characterization, detection and mitigation. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 66–77. ACM (2014)

    Google Scholar 

  3. Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the android system. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 343–352. ACM (2011)

    Google Scholar 

  4. “Phonegap platform security,” https://github.com/phonegap/phonegap/wiki/Platform-Security

  5. “Html5 security cheat sheet,” https://www.owasp.org/index.php/

  6. Chen, Y.-L., Lee, H.-M., Jeng, A.B., Wei, T.-E.: Droidcia: a novel detection method of code injection attacks on html5-based mobile apps. In: Trustcom/BigDataSE/ISPA, vol. 1, pp. 1014–1021 (2015). IEEE

    Google Scholar 

  7. Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: NDSS Symposium, vol. 2014. NIH Public Access, p. 1 (2014)

    Google Scholar 

  8. Singh, K.: Practical context-aware permission control for hybrid mobile applications. In: International Workshop on Recent Advances in Intrusion Detection. Springer, Berlin, pp. 307–327 (2013)

    Chapter  Google Scholar 

  9. Shehab, M., AlJarrah, A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Proceedings of the 2nd International Workshop on Mobile Development Lifecycle, pp. 1–8. ACM (2014)

    Google Scholar 

  10. Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: Hybridguard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications

    Google Scholar 

  11. Hale, M.L., Hanson, S.: A testbed and process for analyzing attack vectors and vulnerabilities in hybrid mobile apps connected to restful web services. In: 2015 IEEE World Congress on Services (SERVICES), pp. 181–188 (2015). IEEE

    Google Scholar 

  12. Yang, L., Cui, X., Wang, C., Guo, S., Xu, X.: Risk analysis of exposed methods to javascript in hybrid apps. In: Trustcom/BigDataSE/I SPA, pp. 458–464. IEEE (2016)

    Google Scholar 

  13. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)

    Google Scholar 

  14. Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 274–277. ACM (2012)

    Google Scholar 

  15. Zhu, H., Xiong, H., Ge, Y., Chen, E.: Mobile app recommendations with security and privacy awareness. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 951–960. ACM (2014)

    Google Scholar 

  16. Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, pp. 13–22. ACM (2012)

    Google Scholar 

  17. Wang, Y., Zheng, J., Sun, C., Mukkamala, S.: Quantitative security risk assessment of android permissions and applications. In: IFIP Annual Conference on Data and Applications Security and Privacy, pp. 226–241. Springer, Berlin (2013)

    Google Scholar 

  18. “Android api guide <permission>,” https://developer.android.com/guide/topics/manifest/permission-element.html

  19. “Android normal permissions,” https://developer.android.com/guide/topics/permissions/normal-permissions.html

  20. Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? In: 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), pp. 161–164. IEEE (2011)

    Google Scholar 

  21. Xie, J., Chu, B., Lipford, H.R., Melton, J.T.: Aside: IDE support for web application security. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 267–276. ACM (2011)

    Google Scholar 

  22. Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: The impact of information sources on code security. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 289–305. IEEE (2016)

    Google Scholar 

  23. Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wagner, D., Beznosov, K.: Android permissions remystified: a field study on contextual integrity. In: USENIX Security Symposium, pp. 499–514 (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of North Carolina at Charlotte, Charlotte, NC, 28262, USA

    Abeer AlJarrah & Mohamed Shehab

Authors
  1. Abeer AlJarrah
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohamed Shehab
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Abeer AlJarrah .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

  2. The Science and Information (SAI) Organization, Bradford, UK

    Rahul Bhatia

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

AlJarrah, A., Shehab, M. (2020). Closer Look at Mobile Hybrid Apps Configurations: Statistics and Implications. In: Arai, K., Bhatia, R. (eds) Advances in Information and Communication. FICC 2019. Lecture Notes in Networks and Systems, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-030-12385-7_69

Download citation

Publish with us

Policies and ethics

Search

Navigation