| In recent years,security vulnerabilities in Android apps(or apps)are rapidly growing.Since most apps need to access web pages,JavaScript-related vulnerabilities account for 40%of all these vulnerabilities,greatly threatening users' privacy security.However,there are three deficiencies in current researches on JavaScript-related vulnerabilities in apps.First,they do not comprehensively study the root cause and the attack way of all types of JavaScript-related vulnerabilities.Second,they do not report the current status of JavaScript usages and their vulnerabilities in apps.Third,they do not provide a publicly available tool to detect JavaScript-related vulnerabilities.To cope with the above issues,the following three efforts are presented in this paper:1.We first conduct an empirical study on JavaScript usages and vulnerabilities in Android apps.We choose 100 most popular apps as the research object,use Android reverse engineering to get the source code and resources of these apps,and analyze the part of JavaScript usages.Through this empirical study,we sum up four common JavaScript usage patterns in apps,and find that improper use of the first three patterns can lead to three types of related JavaScript vulnerabilities,respectively.For each vulnerability,we analyze the root cause and build the attack model.Besides,we statistically summarize distributions of JavaScript usages and security in these 100 apps,grasp the current status of JavaScript security in mainstream Android apps,and report our identified vulnerabilities to app developers.2.We further design and implement a prototype tool called JSDroid,to automatically detect JavaScript-related vulnerabilities in apps.Based on static analysis,JSDroid can parse code and resources from an input APK file,analyze the matched JavaScript usage patterns,the existing JavaScript-related vulnerabilities,and the exposed attack entrances in an app,and output a vulnerability detection report.The tool not only can detect JavaScript-related vulnerabilities on a large number of Android apps,but also provides a simple and beautiful user interface,which is convenient to use.3.We apply the tool JSDroid on 1000 popular apps,to know the current status of JavaScript security in large-scale apps,and evaluate the performance of the tool.First,the experimental results find that 806 apps use JavaScript,and 708 apps contain at least one kind of JavaScript-related vulnerabilities,and 192 of them can be attacked.Second,we verify the good performance of JSDroid by analyzing its effectiveness and efficiency,and compare our results with other experimental results in the related work.Then,we carry out attacks on 30 victim apps,and offer several specific case studies.Finally,we propose suggestions for developers and users to reduce JavaScript security risks in Android apps. |
PDF Full Text Request