Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.

Static Analysis of Cordova Apps

Apache Cordova is a widely used framework for writing mobile apps that follows the “hybrid app” paradigm. A hybrid app is a mobile app that is partly implemented in platform-neutral HTML5/JavaScript and partly in platform specific languages (e.g., Java or Objective C).

Static (dataflow) analysis of hybrid apps that supports the analysis of both the platform independent as well as the platform specific parts in a unified way (e.g., for finding injection attacks) is an unsolved problem.

The main problem with statically analyzing Cordova apps is that many vulnerabilities in Cordova applications exploit data flows that cross the boundary between HTML/JavaScript and native code. Thus, a static tool should be able to analyze these cross-language dataflows.

There are, in principle, three ways for implementing a static analysis statically of cross-language data-flows of Cordova apps:

  1. A (deep) analysis of the Cordova: In this approach, the full cordova framework source code is, all plugin source code, together with the implemented application, is analyzed.
    • Advantages:
      • Very precise computation of all dataflows possible.
      • Only very limited amount of manual modeling of sinks and sources required.
    • Disadvantages:
      • Computationally very expensive. The analysis might take hours even for very small extensions.
  2. Modeling the core API of Cordova: In this approach, the cross-language interfaces of the core Cordova framework are modeled, avoiding the need of analyzing the framework statically. Only the application itself and all used plugins are analyzed.
    • Advantages:
      • Allows for analyzing the application in the context of custom or modified plugins.
      • Usually very fast (a few minutes, even for complex applications)
    • Disadvantages:
      • If the framework changes, a specialist needs to update the model.
  3. Modeling the Cordova plugins: In this approach, the Cordova framework and all plugins are modeled, i.e., their sources and sinks are configured in the static analysis tool. Only the application code itself is statically analyzed.
    • Advantages:
      • Very fast.
    • Disadvantages:
      • No detection of vulnerabilities caused by modified or custom plugins.

We consider the second approach a good compromise between thoroughly
analyzing all possible cross-language dataflows and performance (respectively, repetitively scanning the same code). We implemented this approach in a prototype and its evaluation shows that it reliably detects cross-language dataflows in Cordova application. For more details, have a look at our ESSoS 2016 paper [1].

References

1. Brucker, A. D. and Herzberg, M. “On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache Cordova NationInternational symposium on engineering secure software and systems (essos) (2016): 72–88. doi:10.1007/978-3-319-30806-7_5, URL: http://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016