Static Analysis of Cordova Apps
Apache Cordova is a widely used framework for writing mobile apps that follows the “hybrid app” paradigm. A hybrid app is a mobile app that is partly implemented in platform-neutral HTML5/JavaScript and partly in platform specific languages (e.g., Java or Objective C).
Static (data flow) analysis of hybrid apps that supports the analysis of both the platform independent and the platform specific parts in a unified way (e.g., for finding injection attacks) is an unsolved problem.
The main problem with statically analyzing Cordova apps is that many vulnerabilities in Cordova applications exploit data flows that cross the boundary between HTML/JavaScript and native code. Thus, a static tool should be able to analyze these cross-language data flows.
There are, in principle, three ways for implementing a static analysis statically of cross-language data-flows of Cordova apps:
- A (deep) analysis of the Cordova: In this approach, the full Cordova
framework source code is, all plugin source code, together with the
implemented application, is analyzed.
- Advantages:
- Very precise computation of all data flows possible.
- Only very limited amount of manual modeling of sinks and sources required.
- Disadvantages:
- Computationally very expensive. The analysis might take hours even for very small extensions.
- Advantages:
- Modeling the core API of Cordova: In this approach, the cross-language
interfaces of the core Cordova framework are modeled, avoiding the need of
analyzing the framework statically. Only the application itself and all used
plugins are analyzed.
- Advantages:
- Allows for analyzing the application in the context of custom or modified plugins.
- Usually very fast (a few minutes, even for complex applications)
- Disadvantages:
- If the framework changes, a specialist needs to update the model.
- Advantages:
- Modeling the Cordova plugins: In this approach, the Cordova
framework and all plugins are modeled, i.e., their sources and
sinks are configured in the static analysis tool. Only the
application code itself is statically analyzed.
- Advantages:
- Very fast.
- Disadvantages:
- No detection of vulnerabilities caused by modified or custom plugins.
- Advantages:
We consider the second approach a good compromise between thoroughly
analyzing all possible cross-language data flows and performance (respectively,
repetitively scanning the same code). We implemented this approach in a
prototype and its evaluation shows
that it reliably detects cross-language data flows in Cordova application. For
more details, have a look at our ESSoS
2016 paper
[1].