Skip to main content
SpringerLink
Log in

Precisely and Scalably Vetting JavaScript Bridge in Android Hybrid Apps

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10453))

Abstract

In this paper, we propose a novel system, named BridgeScope, for precise and scalable vetting of JavaScript Bridge security issues in Android hybrid apps. BridgeScope is flexible and can be leveraged to analyze a diverse set of WebView implementations, such as Android’s default WebView, and Mozilla’s Rhino-based WebView. Furthermore, BridgeScope can automatically generate test exploit code to further confirm any discovered JavaScript Bridge vulnerability.

We evaluated BridgeScope to demonstrate that it is precise and effective in finding JavaScript Bridge vulnerabilities. On average, it can vet an app within seven seconds with a low false positive rate. A large scale evaluation identified hundreds of potentially vulnerable real-world popular apps that could lead to critical exploitation. Furthermore, we also demonstrate that BridgeScope can discover malicious functionalities that leverage JavaScript Bridge in real-world malicious apps, even when the associated malicious severs were unavailable.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://developer.android.com/reference/android/webkit/WebView.html.

  2. 2.

    https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino.

  3. 3.

    https://crosswalk-project.org/.

  4. 4.

    https://github.com/pwnall/chromeview.

  5. 5.

    https://github.com/secure-software-engineering/DroidBench.

  6. 6.

    https://en.wikipedia.org/wiki/Same-origin_policy.

  7. 7.

    http://googlemobile.blogspot.com/2012/02/android-and-security.html.

  8. 8.

    https://developer.android.com/reference/android/os/Bundle.html.

  9. 9.

    https://developer.android.com/reference/android/os/Parcel.html.

  10. 10.

    ID stands for the shadowbox’s memory location in our static analysis.

  11. 11.

    https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html.

  12. 12.

    Since most variable scopes are the same, scope information in variable representations is hidden to make SDG more concise.

  13. 13.

    https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html.

  14. 14.

    https://ibotpeaches.github.io/Apktool/.

  15. 15.

    https://pypy.org/.

References

  1. Binary Expression Tree. https://en.wikipedia.org/wiki/Binary_expression_tree

  2. Is android malware served in theatres more sophisticated? http://www.honeynet.org/node/1081

  3. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Computer Security Foundations Symposium (CSF) (2010)

    Google Scholar 

  4. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI (2014)

    Google Scholar 

  5. Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J.A., Dukhovni, V., Käsper, E., Cohney, S., Engels, S., Paar, C., Shavitt, Y.: Drown: breaking TLS using SSLv2. In: USENIX Security (2016)

    Google Scholar 

  6. Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: IEEE Symposium on Security and Privacy (2015)

    Google Scholar 

  7. Calzavara, S., Grishchenko, I., Maffei, M.: Horndroid: practical and sound static analysis of android applications by SMT solving. In: IEEE European Symposium on Security and Privacy, EuroS&P (2016)

    Google Scholar 

  8. Chin, E., Wagner, D.: Bifocals: analyzing WebView vulnerabilities in android applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 138–159. Springer, Cham (2014). doi:10.1007/978-3-319-05149-9_9

    Chapter  Google Scholar 

  9. Demetriou, S., Merrill, W., Yang, W., Zhang, A., Gunter, C.A.: Free for all!. assessing user data exposure to advertising libraries on android. In: NDSS (2016)

    Google Scholar 

  10. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI (2010)

    Google Scholar 

  11. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android ssl (in)security. In: ACM CCS (2012)

    Google Scholar 

  12. Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: Automated security certification of android applications. Manuscript, Univ. of Maryland (2009)

    Google Scholar 

  13. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: Validating ssl certificates in non-browser software. In: ACM CCS (2012)

    Google Scholar 

  14. Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: NDSS, vol. 2014 (2014)

    Google Scholar 

  15. Gordon, M.I., Kim, D., Perkins, J., Gilham, L., Nguyen, N., Rinard, M.: Information-flow analysis of android applications in droidsafe. In: NDSS (2015)

    Google Scholar 

  16. Hardy, N.: The confused deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Syst. Rev. 22(4), 36–38 (1988)

    Article  Google Scholar 

  17. Hassanshahi, B., Jia, Y., Yap, R.H.C., Saxena, P., Liang, Z.: Web-to-application injection attacks on android: characterization and detection. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 577–598. Springer, Cham (2015). doi:10.1007/978-3-319-24177-7_29

    Chapter  Google Scholar 

  18. Huang, W., Dong, Y., Milanova, A., Dolby, J.: Scalable and precise taint analysis for android. In: ISSTA, pp. 106–117 (2015)

    Google Scholar 

  19. Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-based mobile applications in android. In: Desmedt, Y. (ed.) ISC 2013. LNCS, vol. 7807, pp. 309–318. Springer, Cham (2015). doi:10.1007/978-3-319-27659-5_22

    Chapter  Google Scholar 

  20. Liang, J., Jiang, J., Duan, H., Li, K., Wan, T., Wu, J.: When https meets CDN: a case of authentication in delegated service. In: IEEE Symposium on Security and Privacy (2014)

    Google Scholar 

  21. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: ACM CCS (2012)

    Google Scholar 

  22. Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the android system. In: ASCAC (2011)

    Google Scholar 

  23. Mutchler, P., Doupe, A., Mitchell, J., Kruegel, C., Vigna, G., Doup, A., Mitchell, J., Kruegel, C., Vigna, G.: A large-scale study of mobile web app. security. In: MoST (2015)

    Google Scholar 

  24. P.A. Networks. New Android Trojan Xbot Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/

  25. Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: NDSS, pp. 23–26 (2014)

    Google Scholar 

  26. Rastogi, V., Shao, R., Chen, Y., Pan, X., Zou, S., Riley, R.: Are these ads safe: detecting hidden attacks through the mobile app-web interfaces. In: NDSS (2016)

    Google Scholar 

  27. Sedol, S., Johari, R.: Survey of cross-site scripting attack in android apps. Int. J. Inform. Comput. Technol. 4(11), 1079–1084 (2014)

    Google Scholar 

  28. Singh, K.: Practical context-aware permission control for hybrid mobile applications. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 307–327. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41284-4_16

    Chapter  Google Scholar 

  29. Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: SMV-HUNTER: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: NDSS (2014)

    Google Scholar 

  30. Steensgaard, B.: Points-to analysis in almost linear time. In: POPL, New York, NY, USA, pp. 32–41 (1996)

    Google Scholar 

  31. Tuncay, G.S., Demetriou, S., Gunter, C.A.: Draco: a system for uniform and fine-grained access control for web code on android. In: ACM CCS (2016)

    Google Scholar 

  32. Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: threats and mitigation. In: ACM CCS (2013)

    Google Scholar 

  33. Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: ACM CCS (2014)

    Google Scholar 

  34. Wu, D., Chang, R.K.C.: Indirect File Leaks in Mobile Applications. MoST (2015)

    Google Scholar 

Download references

Acknowledgments

This material is based upon work supported in part by the the National Science Foundation (NSF) under Grant no. 0954096 and 1314823. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of NSF.

Author information

Authors and Affiliations

  1. SUCCESS LAB, Texas A&M University, College Station, USA

    Guangliang Yang, Abner Mendoza, Jialong Zhang & Guofei Gu

Authors
  1. Guangliang Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Abner Mendoza
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jialong Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Guofei Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guangliang Yang .

Editor information

Editors and Affiliations

  1. Qatar Computing Research Institute, Doha, Qatar

    Marc Dacier

  2. University of Illinois at Urbana Champaign, Champaign, Illinois, USA

    Michael Bailey

  3. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  4. Georgia Institute of Technology, Georgia, USA

    Manos Antonakakis

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (txt 1 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Yang, G., Mendoza, A., Zhang, J., Gu, G. (2017). Precisely and Scalably Vetting JavaScript Bridge in Android Hybrid Apps. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66332-6_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66331-9

  • Online ISBN: 978-3-319-66332-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation