[ PDF |
DOI |
BibTeX |
EndNote |
RIS |
Word ]
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache Cordova Nation
By Achim D. Brucker and Michael Herzberg.
Developing mobile applications is a challenging business: developers need to support multiple platforms and, at the same time, need to cope with limited resources, as the revenue generated by an average app is rather small. This results in an increasing use of cross-platform development frameworks that allow developing an app once and offering it on multiple mobile platforms such as Android, iOS, or Windows.
Apache Cordova is a popular framework for developing multi-platform apps. Cordova combines HTML5 and JavaScript with native application code. Combining web and native technologies creates new security challenges as, e.g., an XSS attacker becomes more powerful.
In this paper, we present a novel approach for statically analysing the foreign language calls. We evaluate our approach by analysing the top Cordova apps from Google Play. Moreover, we report on the current state of the overall quality and security of Cordova apps.
Keywords: Static Program Analysis, Static Application Security Testing, Android, Cordova, Hybrid Mobile Apps
Supplementary material: [ Slides Implementation | Vulnerable Application ]
Please cite this work as follows: A. D. Brucker and M. Herzberg, “On the static analysis of hybrid mobile apps: A report on the state of apache cordova nation,” in International symposium on engineering secure software and systems (ESSoS), J. Caballero and E. Bodden, Eds. Heidelberg: Springer-Verlag, 2016, pp. 72–88. doi: 10.1007/978-3-319-30806-7_5. Author copy: http://logicalhacking.com/publications/brucker.ea-cordova-security-2016/
BibTeX
@InCollection{ brucker.ea:cordova-security:2016,
author = {Achim D. Brucker and Michael Herzberg},
booktitle = {International Symposium on Engineering Secure Software and
Systems (ESSoS)},
language = {USenglish},
editor = {Juan Caballero and Eric Bodden},
publisher = {Springer-Verlag },
pages = {72--88},
address = {Heidelberg },
series = {Lecture Notes in Computer Science },
number = {9639},
title = {On the Static Analysis of Hybrid Mobile Apps: A Report on the
State of Apache Cordova Nation},
year = {2016},
isbn = {978-3-642-11746-6},
areas = {security, software},
doi = {10.1007/978-3-319-30806-7_5},
abstract = {Developing mobile applications is a challenging business:
developers need to support multiple platforms and, at the same
time, need to cope with limited resources, as the revenue
generated by an average app is rather small. This results in
an increasing use of cross-platform development frameworks
that allow developing an app once and offering it on multiple
mobile platforms such as Android, iOS, or Windows.
Apache Cordova is a popular framework for developing
multi-platform apps. Cordova combines HTML5 and JavaScript
with native application code. Combining web and native
technologies creates new security challenges as, e.g., an XSS
attacker becomes more powerful.
In this paper, we present a novel approach for statically
analysing the foreign language calls. We evaluate our approach
by analysing the top Cordova apps from Google Play. Moreover,
we report on the current state of the overall quality and
security of Cordova apps.},
keywords = {Static Program Analysis, Static Application Security Testing,
Android, Cordova, Hybrid Mobile Apps},
supplementary01 = {https://git.logicalhacking.com/DASCA/DASCA},
supplabel01 = {Implementation},
supplementary02 = {https://git.logicalhacking.com/DASCA/DVHMA},
supplabel02 = {Vulnerable Application},
note = {Author copy: \url{http://logicalhacking.com/publications/brucker.ea-cordova-security-2016/}},
}