Closer Look at Mobile Hybrid Apps Configurations: Statistics and Implications

  • Abeer AlJarrahEmail author
  • Mohamed Shehab
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 70)


We are witnessing a transition in the development of mobile operating systems from native custom architectures to web-based cross-platforms. There are several security implications of bringing the web code to smart-phones. In this paper, we present a large-scale study that is centered on mobile hybrid apps configurations and permissions usage patterns. We study the platform configuration model and its’ evolution. We find that while the platform is adding more security features, there is a demonstrable misconfiguration trend. The result of analyzing a set of 2111 hybrid apps uncovered several alarming observations. We have found that 80% of the apps are vulnerable to injection attacks because of an absence or a poor usage of the security model provided by the platform. We also detect a trend of keeping risky default configuration settings which results in having over-privileged apps that may expose device APIs to malicious code. On the system side, we realize that most of the apps have access to the platform’s INTERNET and GEOLOCATION permissions. Google messaging is also recognized as the most widely used third-party service. In addition, we detect suspicious set of domains including spying, payment, Adware, and military that are white-listed. This study has the following contributions: (1) Systematizing our knowledge about mobile hybrid apps configuration model. (2) Providing an evidence of configuration misuse and developers tendency to use defaults. (3) Discussing possible reasons of misconfiguration practices and suggesting recommendations that address both the platform and the developer.


Mobile hybrid apps Configurations Security Cross-platforms HTML5 apps 


  1. 1.
    Jin, X., Luo, T., Tsui, D.G., Du, W.: Code injection attacks on html5-based mobile apps (2014). arXiv preprint arXiv:1410.7756
  2. 2.
    Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G.N.: Code injection attacks on html5-based mobile apps: characterization, detection and mitigation. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 66–77. ACM (2014)Google Scholar
  3. 3.
    Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the android system. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 343–352. ACM (2011)Google Scholar
  4. 4.
  5. 5.
    “Html5 security cheat sheet,”
  6. 6.
    Chen, Y.-L., Lee, H.-M., Jeng, A.B., Wei, T.-E.: Droidcia: a novel detection method of code injection attacks on html5-based mobile apps. In: Trustcom/BigDataSE/ISPA, vol. 1, pp. 1014–1021 (2015). IEEEGoogle Scholar
  7. 7.
    Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: NDSS Symposium, vol. 2014. NIH Public Access, p. 1 (2014)Google Scholar
  8. 8.
    Singh, K.: Practical context-aware permission control for hybrid mobile applications. In: International Workshop on Recent Advances in Intrusion Detection. Springer, Berlin, pp. 307–327 (2013)CrossRefGoogle Scholar
  9. 9.
    Shehab, M., AlJarrah, A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Proceedings of the 2nd International Workshop on Mobile Development Lifecycle, pp. 1–8. ACM (2014)Google Scholar
  10. 10.
    Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: Hybridguard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applicationsGoogle Scholar
  11. 11.
    Hale, M.L., Hanson, S.: A testbed and process for analyzing attack vectors and vulnerabilities in hybrid mobile apps connected to restful web services. In: 2015 IEEE World Congress on Services (SERVICES), pp. 181–188 (2015). IEEEGoogle Scholar
  12. 12.
    Yang, L., Cui, X., Wang, C., Guo, S., Xu, X.: Risk analysis of exposed methods to javascript in hybrid apps. In: Trustcom/BigDataSE/I SPA, pp. 458–464. IEEE (2016)Google Scholar
  13. 13.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)Google Scholar
  14. 14.
    Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 274–277. ACM (2012)Google Scholar
  15. 15.
    Zhu, H., Xiong, H., Ge, Y., Chen, E.: Mobile app recommendations with security and privacy awareness. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 951–960. ACM (2014)Google Scholar
  16. 16.
    Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, pp. 13–22. ACM (2012)Google Scholar
  17. 17.
    Wang, Y., Zheng, J., Sun, C., Mukkamala, S.: Quantitative security risk assessment of android permissions and applications. In: IFIP Annual Conference on Data and Applications Security and Privacy, pp. 226–241. Springer, Berlin (2013)Google Scholar
  18. 18.
  19. 19.
  20. 20.
    Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? In: 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), pp. 161–164. IEEE (2011)Google Scholar
  21. 21.
    Xie, J., Chu, B., Lipford, H.R., Melton, J.T.: Aside: IDE support for web application security. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 267–276. ACM (2011)Google Scholar
  22. 22.
    Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: The impact of information sources on code security. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 289–305. IEEE (2016)Google Scholar
  23. 23.
    Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wagner, D., Beznosov, K.: Android permissions remystified: a field study on contextual integrity. In: USENIX Security Symposium, pp. 499–514 (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.University of North Carolina at CharlotteCharlotteUSA

Personalised recommendations