Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Engineering Secure Software and Systems

ESSoS 2016: Engineering Secure Software and Systems pp 72–88Cite as

On the Static Analysis of Hybrid Mobile Apps

A Report on the State of Apache Cordova Nation

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9639))

Abstract

Developing mobile applications is a challenging business: developers need to support multiple platforms and, at the same time, need to cope with limited resources, as the revenue generated by an average app is rather small. This results in an increasing use of cross-platform development frameworks that allow developing an app once and offering it on multiple mobile platforms such as Android, iOS, or Windows.

Apache Cordova is a popular framework for developing multi-platform apps. Cordova combines HTML5 and JavaScript with native application code. Combining web and native technologies creates new security challenges as, e. g., an XSS attacker becomes more powerful.

In this paper, we present a novel approach for statically analysing the foreign language calls. We evaluate our approach by analysing the top Cordova apps from Google Play. Moreover, we report on the current state of the overall quality and security of Cordova apps.

A.D. Brucker–Parts of this research were done while the author was a Security Testing Strategist and Research Expert at SAP SE in Germany.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    For more information on the usage of these two parameters, see https://cordova.apache.org/docs/en/latest/guide/hybrid/plugins/.

  2. 2.

    Our prototype is available at https://github.com/DASPA/DASCA.

  3. 3.

    The DVHMA app is available at https://github.com/ZertApps/DVHMA.

References

  1. Anderson, P.: Measuring the value of static-analysis tool deployments. IEEE Secur. Priv. 10(3), 40–47 (2012)

    Article  Google Scholar 

  2. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: PLDI 2014, pp. 259–269. ACM (2014)

    Google Scholar 

  3. Bachmann, R., Brucker, A.D.: Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD) 38(4), 257–261 (2014)

    Article  Google Scholar 

  4. Batyuk, L., Herpich, M., Camtepe, S.A., Raddatz, K., Schmidt, A.D., Albayrak, S.: Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within android applications. In: Malicious and Unwanted Software (MALWARE), pp. 66–72. IEEE (2011)

    Google Scholar 

  5. Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., Engler, D.: A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM 53, 66–75 (2010)

    Article  Google Scholar 

  6. Brucker, A.D., Sodan, U.: Deploying static application security testing on a large scale. In: Katzenbeisser, S., Lotz, V., Weippl, E. (eds.) GI Sicherheit 2014, Lecture Notes in Informatics, vol. 228, pp. 91–101. GI (2014)

    Google Scholar 

  7. Feldthaus, A., Schafer, M., Sridharan, M., Dolby, J., Tip, F.: Efficient construction of approximate call graphs for JavaScript IDE services. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 752–761. IEEE (2013)

    Google Scholar 

  8. Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: automated security certification of android applications. Technical report CS-TR-4991, Department of Computer Science, University of Maryland, College Park (2009)

    Google Scholar 

  9. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: CSS, pp. 38–49. ACM (2012)

    Google Scholar 

  10. Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: NDSS 2014. The Internet Society (2014)

    Google Scholar 

  11. Guha, A., Krishnamurthi, S., Jim, T.: Using static analysis for AJAX intrusion detection. In: World Wide Web, pp. 561–570. ACM (2009)

    Google Scholar 

  12. Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-basedmobile applications in Android. In: ISC (2013)

    Google Scholar 

  13. Kim, J., Yoon, Y., Yi, K., Shin, J., Center, S.: Scandal: static analyzer for detecting privacy leaks in android applications. MoST (2012)

    Google Scholar 

  14. Lee, S., Dolby, J., Ryu, S.: Hybridroid: Analysis framework for Android hybrid applications (2015)

    Google Scholar 

  15. Li, S., Tan, G.: Finding bugs in exceptional situations of JNI programs. In: CCS, pp. 442–452. ACM (2009)

    Google Scholar 

  16. Madsen, M., Livshits, B., Fanning, M.: Practical static analysis of javascript applications in the presence of frameworks and libraries. In: Foundations of Software Engineering, pp. 499–509. ACM (2013)

    Google Scholar 

  17. McGraw, G.: Software Security: Building Security In. Addison-Wesley, Boston (2006)

    Google Scholar 

  18. Mohr, M., Graf, J., Hecker, M.: Jodroid: Adding android support to a static information flow control tool. In: Conference on Programming Languages (2015)

    Google Scholar 

  19. Rubin, A.D., Geer Jr., D.E.: A survey of web security. Computer 31(9), 34–41 (1998)

    Article  Google Scholar 

  20. Shabtai, A., Fledel, Y., Elovici, Y.: Automated static code analysis for classifying android applications using machine learning. In: CIS, pp. 329–333. IEEE (2010)

    Google Scholar 

  21. Shehab, M., AlJarrah, A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Workshop on Mobile Development Lifecycle, pp. 1–8. ACM (2014)

    Google Scholar 

  22. Singh, K.: Practical context-aware permission control for hybrid mobile applications. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 307–327. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  23. Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws. Wiley, New York (2011)

    Google Scholar 

  24. Taly, A., Erlingsson, Ú., Mitchell, J.C., Miller, M.S., Nagra, J.: Automated analysis of security-critical JavaScript apis. In: SP, pp. 363–378. IEEE (2011)

    Google Scholar 

  25. Tan, G., Appel, A.W., Chakradhar, S., Raghunathan, A., Ravi, S., Wang, D.: Safe Java native interface. In: Secure Software Engineering, pp. 97–106 (2006)

    Google Scholar 

  26. Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. ACM Sigplan Not. 44(6), 87–97 (2009)

    Article  Google Scholar 

  27. Tsipenyuk, K., Chess, B., McGraw, G.: Seven pernicious kingdoms: a taxonomy of software security errors. IEEE Secur. Priv. 3(6), 81–84 (2005)

    Article  Google Scholar 

Download references

Acknowledgements

We would like to thank Jens Heider and Stephan Huber from Fraunhofer SIT who provided us with the initial list of Cordova apps for our evaluation. This research was partially supported by the Federal Ministry for Education and Research (BMBF) in the context of the project ZertApps (http://www.zertapps.de/).

Author information

Authors and Affiliations

  1. Department of Computer Science, The University of Sheffield, Sheffield, UK

    Achim D. Brucker

  2. SAP SE, Vincenz-Priessnitz-Strasse 1, 76131, Karlsruhe, Germany

    Michael Herzberg

Authors
  1. Achim D. Brucker
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Herzberg
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Achim D. Brucker .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Madrid, Spain

    Juan Caballero

  2. Paderborn University & Fraunhofer IEM, Paderborn, Germany

    Eric Bodden

  3. VU University, Amsterdam, The Netherlands

    Elias Athanasopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Brucker, A.D., Herzberg, M. (2016). On the Static Analysis of Hybrid Mobile Apps. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30806-7_5

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30805-0

  • Online ISBN: 978-3-319-30806-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation