Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.

Static Analysis of Cordova Apps

Apache Cordova is a widely used framework for writing mobile apps that follows the “hybrid app” paradigm. A hybrid app is a mobile app that is partly implemented in platform-neutral HTML5/JavaScript and partly in platform specific languages (e.g., Java or Objective C).

Static (data flow) analysis of hybrid apps that supports the analysis of both the platform independent and the platform specific parts in a unified way (e.g., for finding injection attacks) is an unsolved problem.

The main problem with statically analyzing Cordova apps is that many vulnerabilities in Cordova applications exploit data flows that cross the boundary between HTML/JavaScript and native code. Thus, a static tool should be able to analyze these cross-language data flows.

There are, in principle, three ways for implementing a static analysis statically of cross-language data-flows of Cordova apps:

  1. A (deep) analysis of the Cordova: In this approach, the full Cordova framework source code is, all plugin source code, together with the implemented application, is analyzed.
    • Advantages:
      • Very precise computation of all data flows possible.
      • Only very limited amount of manual modeling of sinks and sources required.
    • Disadvantages:
      • Computationally very expensive. The analysis might take hours even for very small extensions.
  2. Modeling the core API of Cordova: In this approach, the cross-language interfaces of the core Cordova framework are modeled, avoiding the need of analyzing the framework statically. Only the application itself and all used plugins are analyzed.
    • Advantages:
      • Allows for analyzing the application in the context of custom or modified plugins.
      • Usually very fast (a few minutes, even for complex applications)
    • Disadvantages:
      • If the framework changes, a specialist needs to update the model.
  3. Modeling the Cordova plugins: In this approach, the Cordova framework and all plugins are modeled, i.e., their sources and sinks are configured in the static analysis tool. Only the application code itself is statically analyzed.
    • Advantages:
      • Very fast.
    • Disadvantages:
      • No detection of vulnerabilities caused by modified or custom plugins.

We consider the second approach a good compromise between thoroughly
analyzing all possible cross-language data flows and performance (respectively, repetitively scanning the same code). We implemented this approach in a prototype and its evaluation shows that it reliably detects cross-language data flows in Cordova application. For more details, have a look at our ESSoS 2016 paper [1].

References

[1]
A. D. Brucker and M. Herzberg, “On the static analysis of hybrid mobile apps: A report on the state of apache cordova nation,” in International symposium on engineering secure software and systems (ESSoS), J. Caballero and E. Bodden, Eds. Heidelberg: Springer-Verlag, 2016, pp. 72–88. doi: 10.1007/978-3-319-30806-7_5.

Welcome to the blog of the Software Assurance & Security Research Team at the University of Exeter. We blog regularly news, tips & tricks, as well as fun facts about software assurance, reliability, security, testing, verification, hacking, and logic.

You can also follow us on Twitter: @logicalhacking.

Categories

Archive

Tags

academia ai android apidesign appsec bitcoin blockchain bpmn browser browserextensions browsersecurity bug certification chrome composition cordova dast devops devsecops dom dsbd efsm epsrc event extensions fixeffort floss formaldocument formalmethods funding hol-ocl hol-testgen humanfactor hybridapps iast industry internetofthings iot isabelle/hol isabelledof isadof latex logic maintance malicous mbst mobile mobile apps modelinference modeling monads monitoring msc ocl ontology opensource owasp patches pet phd phdlife phishing policy protocols publishing reliability research safelinks safety sap sast sdlc secdevops secureprogramming security securityengineering securitytesting semantics servicecomposition skills smartcontract smartthings softwareeinginering softwaresecurity softwaresupplychain solidity staff&positions statemachine studentproject tcb test&proof testing tips&tricks tools transport tuos uk uoe upgrade usability verification vulnerabilities vulnerableapplication webinar websecurity

Search


blog whole site