Research On Fine-grained Access Control In Android Hybrid Applications

With the rapid development of mobile Internet, smartphones and tablets has increasingly become an indispensable tool in people's life,numerous developers are attracted to create plenty of applications. Nowadays, with the progress in mobile computing and web technology, HTML5-based mobile applications are becoming more and more popular for its good portability and ease of development. In most mobile platforms, including Android, iOS, and Windows Phone, hybrid applications, also known as mobile web applications, embed a small but powerful browser component to load the HTML pages and execute JavaScript codes. This embedded browser is called WebView in Android(it is called different names in other platforms). Different from the one of native apps, hybrid apps contains two parts, web codes implement app's function logic and Java code provide the abilities to access system resources.Also WebView offers a variety of bridging mechanisms for web codes to communicate with local Java objects. These new features enrich apps' functions but also introduce new security issues.In this thesis, we first systematic study the security of Android hybrid apps. We analysis its software architecture and the characteristics of its middleware development framework,build its security model and illustrate the possible security problems. We points out that the main causes of the security problems in hybrid apps is brought by its core components WebView, when introducing new features WebView breaks the sandbox model adopted by traditional browser applications, makes the web code loaded by WebView can access system resources, and Android system does not provide a appropriate mechanism to control these accesses.In order to sovle this problem, we propose a fine-grained access control mechanism based on PhoneGap, the most popular middleware development framework of Android hybrid apps. Our model encapsulate operates of access system resources in the form of PhoneGap plugins, and assign the perimissions of access different plugins to the web content loaded from different sources to control its access operation to system resources. Through experimental analysis, our access control model can effectively control the Web codes loaded by WebView to access to system resources, and the overload it introduces is negligible, has a little impact on the performance of the application.