标题:Risk Analysis of Exposed Methods to JavaScript in Hybrid Apps
作者:Yang, Liu; Cui, Xingmin; Wang, Changyuan; Guo, Shanqing; Xu, Xinshun
通讯作者:Yang, L
作者机构:[Yang, Liu; Wang, Changyuan; Guo, Shanqing; Xu, Xinshun] Shandong Univ, Jinan, Peoples R China.; [Cui, Xingmin] Univ Hong Kong, Hong Kong, Hong Kong 更多
会议名称:15th IEEE Int Conf on Trust, Security and Privacy in Comp and Commun / 10th IEEE Int Conf on Big Data Science and Engineering / 14th IEEE Int Symposium on Parallel and Distributed Proc with Applicat (IEEE Trustcom/BigDataSE/ISPA)
会议日期:AUG 23-26, 2016
来源:2016 IEEE TRUSTCOM/BIGDATASE/ISPA
出版年:2016
页码:458-464
DOI:10.1109/TrustCom.2016.96
关键词:Android Security; WebView; JavaScript
摘要:Nowadays, there are more and more hybrid apps appearing in the app market which contain native code and Web pages. In order to enhance the ability of JavaScript in the WebView, these apps expose methods that can be invoked by JavaScript. However, when we study the communication from JavaScript to native code, we find a security issue that if the exposed methods finally invoke sensitive methods, such as SEND_SMS, getLastKnownLocation, and these exposed methods are called via unsafe connections, malicious code can be injected to perform sensitive operations without the user's consent. To automatically detect this vulnerability, we provide a hybrid system that contains both static and dynamic analysis modules. The static analysis discerns potential vulnerable apps and gathers information to guide the dynamic analysis while the dynamic analysis executes the app to verify whether the app is vulnerable or not. We use this system to test 400 most popular apps in the Google Play market and find that 43 apps are vulnerable.
收录类别:CPCI-S
资源类型:会议论文
TOP