Abstract
We are witnessing a transition in the development of mobile operating systems from native custom architectures to web-based cross-platforms. There are several security implications of bringing the web code to smart-phones. In this paper, we present a large-scale study that is centered on mobile hybrid apps configurations and permissions usage patterns. We study the platform configuration model and its’ evolution. We find that while the platform is adding more security features, there is a demonstrable misconfiguration trend. The result of analyzing a set of 2111 hybrid apps uncovered several alarming observations. We have found that 80% of the apps are vulnerable to injection attacks because of an absence or a poor usage of the security model provided by the platform. We also detect a trend of keeping risky default configuration settings which results in having over-privileged apps that may expose device APIs to malicious code. On the system side, we realize that most of the apps have access to the platform’s INTERNET and GEOLOCATION permissions. Google messaging is also recognized as the most widely used third-party service. In addition, we detect suspicious set of domains including spying, payment, Adware, and military that are white-listed. This study has the following contributions: (1) Systematizing our knowledge about mobile hybrid apps configuration model. (2) Providing an evidence of configuration misuse and developers tendency to use defaults. (3) Discussing possible reasons of misconfiguration practices and suggesting recommendations that address both the platform and the developer.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
References
Jin, X., Luo, T., Tsui, D.G., Du, W.: Code injection attacks on html5-based mobile apps (2014). arXiv preprint arXiv:1410.7756
Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G.N.: Code injection attacks on html5-based mobile apps: characterization, detection and mitigation. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 66–77. ACM (2014)
Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the android system. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 343–352. ACM (2011)
“Phonegap platform security,” https://github.com/phonegap/phonegap/wiki/Platform-Security
“Html5 security cheat sheet,” https://www.owasp.org/index.php/
Chen, Y.-L., Lee, H.-M., Jeng, A.B., Wei, T.-E.: Droidcia: a novel detection method of code injection attacks on html5-based mobile apps. In: Trustcom/BigDataSE/ISPA, vol. 1, pp. 1014–1021 (2015). IEEE
Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: NDSS Symposium, vol. 2014. NIH Public Access, p. 1 (2014)
Singh, K.: Practical context-aware permission control for hybrid mobile applications. In: International Workshop on Recent Advances in Intrusion Detection. Springer, Berlin, pp. 307–327 (2013)
Shehab, M., AlJarrah, A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Proceedings of the 2nd International Workshop on Mobile Development Lifecycle, pp. 1–8. ACM (2014)
Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: Hybridguard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications
Hale, M.L., Hanson, S.: A testbed and process for analyzing attack vectors and vulnerabilities in hybrid mobile apps connected to restful web services. In: 2015 IEEE World Congress on Services (SERVICES), pp. 181–188 (2015). IEEE
Yang, L., Cui, X., Wang, C., Guo, S., Xu, X.: Risk analysis of exposed methods to javascript in hybrid apps. In: Trustcom/BigDataSE/I SPA, pp. 458–464. IEEE (2016)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)
Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 274–277. ACM (2012)
Zhu, H., Xiong, H., Ge, Y., Chen, E.: Mobile app recommendations with security and privacy awareness. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 951–960. ACM (2014)
Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, pp. 13–22. ACM (2012)
Wang, Y., Zheng, J., Sun, C., Mukkamala, S.: Quantitative security risk assessment of android permissions and applications. In: IFIP Annual Conference on Data and Applications Security and Privacy, pp. 226–241. Springer, Berlin (2013)
“Android api guide <permission>,” https://developer.android.com/guide/topics/manifest/permission-element.html
“Android normal permissions,” https://developer.android.com/guide/topics/permissions/normal-permissions.html
Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? In: 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), pp. 161–164. IEEE (2011)
Xie, J., Chu, B., Lipford, H.R., Melton, J.T.: Aside: IDE support for web application security. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 267–276. ACM (2011)
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: The impact of information sources on code security. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 289–305. IEEE (2016)
Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wagner, D., Beznosov, K.: Android permissions remystified: a field study on contextual integrity. In: USENIX Security Symposium, pp. 499–514 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
AlJarrah, A., Shehab, M. (2020). Closer Look at Mobile Hybrid Apps Configurations: Statistics and Implications. In: Arai, K., Bhatia, R. (eds) Advances in Information and Communication. FICC 2019. Lecture Notes in Networks and Systems, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-030-12385-7_69
Download citation
DOI: https://doi.org/10.1007/978-3-030-12385-7_69
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12384-0
Online ISBN: 978-3-030-12385-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)