| At present,more and more hybrid applications appear in the major Android application market,according to IDC's statistics show that as of the third quarter of 2016,Android accounted for 86.8%of the share of smart phone operating system.These applications include Android native Java code and Web pages.In order to improve the user experience,hybrid applications will generally expose some of the native Java methods to the Web page for JavaScript code in the Web pages to access to some of the device resources.When JavaScript code calls a native Java method,the application first establishes a link with the remote server,and then calls the native Java method in the established link.However,there are some obvious attack surface in the entire call process.First,in the process of establishing a link,Android hybrid applications usually use SSL or TLS to establish an HTTPS link with the remote server to protect the transmission of data.However,due to the development of the negligence,some HTTPS links did not imagine so safe,especially when the HTTPS link SSL certificate error,the improper handling of these errors is also easy to cause man-in-the-middle attacks and phishing attacks.Second,if the called native Java methods can perform sensitive operations,such as sending text messages,access to contact information and geographic information,etc.,if such a call occurs in an HTTP link,it is easy to trigger man-in-the-middle attacks.The malicious code can be injected to do some sensitive operations without the knowledge of the user,resulting in privacy data leakage and even causing some damage to the equipment.In order to detect the security of the Web-to-Native call mechanism,the paper designs and implements a detection model that includes static analysis and dynamic analysis to(1)determine whether the HTTPS link between the application and the remote server is secure;2)and can detect whether there is a call from to local sensitive Java method in an HTTP link.In order to test the detection capability of our detection model,we conduct a detailed experiment on these two types of security issues.We download 13820 applications from the domestic third-party market.The experimental results demonstrate that 1360 applications are detected as potentially vulnerable to SSL error handling using the static analysis.The dynamic analysis process further confirms that 711 applications are truly vulnerable among the potentially vulnerable set.In order to detect the unsafe call of the high-risk method,we select the 400 most popular applications for a detailed analysis and find that there are 43 applications with unsafe calls to the high-risk method. |
PDF Full Text Request