hybridroid: analysis framework for android hybrid …need to repeat application development multiple...
TRANSCRIPT
![Page 1: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/1.jpg)
HybriDroid: Analysis Framework for
Android Hybrid Applications
Sungho Lee, Julian Dolby, Sukyoung Ryu
Programming Language Research Group
KAIST
June 13, 2015
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 1/45
![Page 2: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/2.jpg)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 2/45
![Page 3: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/3.jpg)
Analyzing JavaScript
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 3/45
![Page 4: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/4.jpg)
Analyzing JavaScript Web Applications
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 4/45
![Page 5: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/5.jpg)
Analyzing JavaScript Web Applications in theWild
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 5/45
![Page 6: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/6.jpg)
Analyzing JavaScript Web Applications in theWild (Mostly) Statically
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 6/45
![Page 7: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/7.jpg)
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 7/45
![Page 8: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/8.jpg)
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 8/45
![Page 9: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/9.jpg)
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 9/45
![Page 10: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/10.jpg)
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 10/45
![Page 11: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/11.jpg)
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 11/45
![Page 12: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/12.jpg)
Hey, You, Get Off of My UI
Injection of Malicious Activities and Fragments to Control UIFlows
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 12/45
![Page 13: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/13.jpg)
Motivation
Many mobile platforms out there.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 13/45
![Page 14: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/14.jpg)
Motivation
Many mobile platforms out there.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 14/45
![Page 15: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/15.jpg)
Motivation
To support multiple platforms with native applications,
need to implement one application per platform;
need to repeat application development multiple times.
Web applications cannot use device features.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 15/45
![Page 16: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/16.jpg)
Motivation
Hybrid applications could be one solution.
Hybrid applications use both HTML5 code (HTML, CSS,and JavaScript) and native device features, such as acamera or accelerometer.
Cross-platform tools to build hybrid applications:Apache Cordova, Appcelerator Titanium, Xamarin, . . .
“Gartner Says by 2016, More Than 50 Percent of MobileApps Deployed Will be Hybrid”http://www.gartner.com/newsroom/id/2324917
“Build Once, Run Everywhere”
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 16/45
![Page 17: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/17.jpg)
Motivation
Security risks for hybrid applications
One Malware for multiple platforms!
“Building Hybrid Android Apps with Java and JavaScript”http://shop.oreilly.com/product/0636920028994.do
Challenges in analyzing hybrid applications
They are developed in multiple programming languageswith different data types, values, and semantics.Inter-language communications are not explicit butimplicit; they are not well documented.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 17/45
![Page 18: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/18.jpg)
Hybrid Applications in Android
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 18/45
![Page 19: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/19.jpg)
Hybrid Applications in Android
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 19/45
![Page 20: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/20.jpg)
Hybrid Applications in Android
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 20/45
![Page 21: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/21.jpg)
Implicit Inter-Language Communications
Android Java ⇒ JavaScript
WebView.loadUrl("javascript:request();")
WebView.loadUrl is usually for loading a given URL.
When the prefix of a string argument ofWebView.loadUrl is “javascript:”, it acts like theeval function.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 21/45
![Page 22: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/22.jpg)
Implicit Inter-Language Communications
JavaScript ⇒ Android Java
WebViewClient.shouldOverrideUrlLoading
WebChromeClient.onJsPrompt
WebView.addJavascriptInterface
(from hybrid applications developed in the Cordova framework)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 22/45
![Page 23: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/23.jpg)
Implicit Inter-Language Communications
JavaScript ⇒ Android Java
WebViewClient.shouldOverrideUrlLoading
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 23/45
![Page 24: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/24.jpg)
Implicit Inter-Language Communications
JavaScript ⇒ Android Java
WebChromeClient.onJsPrompt
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 24/45
![Page 25: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/25.jpg)
Implicit Inter-Language Communications
JavaScript ⇒ Android Java
WebView.addJavascriptInterface
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 25/45
![Page 26: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/26.jpg)
addJavascriptInterfacehttp://developer.android.com/reference/android/webkit/WebView.html
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 26/45
![Page 27: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/27.jpg)
addJavascriptInterface
JavaScript can call the Java object’s methods.
It can not access the Java object’s fields.
Only public methods annotated with JavascriptInterface
can be accessed from JavaScript.
Type conversions and restrictions are not specified, but ...
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 27/45
![Page 28: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/28.jpg)
Type Compatibility (by Experiments)
JavaScript ⇒ Android Java: function argument types
int float String boolean Object Array
Null 7(null) 7(null) 7(null) 7(null) 7(null) 7(null)Undefined 7 7 7("undefined") 7 7 7Number 3 3 3(type conversion) 7(false) 7(null) 7(null)Boolean 7(0) 7(0) 3(type conversion) 3 7(null) 7(null)String 7(0) 7(0) 3 7(false) 7(null) 7(null)Object 7(0) 7(0) 7("undefined") 7(false) 7(null) 7(null)Array 7(0) 7(0) 7("undefined") 7(false) 7(null) <
< = 3 if the Array element type is one of primitive types;null if the Array element type is Object;0 if the Array element type is int or float;false if the Array element type is boolean; or"undefined" if the Array element type is String.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 28/45
![Page 29: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/29.jpg)
Type Compatibility (by Experiments)
Android Java ⇒ JavaScript: function return types
int float String boolean Object Array
JavaScript 3 3(inexact) 3 3 7({}) 7(undefined)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 29/45
![Page 30: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/30.jpg)
HybriDroid
Soundy analysis framework for Android hybrid applications
Support for partial but most implicit inter-language flowsbacked by APIs, blogs, and Dalvik VM source code
Support for partial but most type compatibilitybacked by experiments with trials & errors
Implementation on top of WALA
https://github.com/SunghoLee/WALA/tree/master/HybriDroid/src/kr/
ac/kaist/hybridroid/callgraph
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 30/45
![Page 31: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/31.jpg)
HybriDroid Implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 31/45
![Page 32: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/32.jpg)
HybriDroid Implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 32/45
![Page 33: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/33.jpg)
HybriDroid Implementation
AndroidHybridCallGraphBuilder
Model addJavascriptInterface by binding the Javaobject (first argument) with the given name (secondargument) at the global scope of JavaScriptModel Android Java methods as mockup objects thatare accessible from JavaScript
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 33/45
![Page 34: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/34.jpg)
HybriDroid Implementation
AndroidHybridAnalysisScope
Build a single analysis scope covering both Android Javaand JavaScriptReplace Java with Android Java in the sampleJavaJavaScriptAnalysisScope class
AndroidHybridMethodTargetSelector
Model invocation of Android Java methods fromJavaScript by selecting mockup objects constructed byAndroidHybridCallGraphBuilder as invocation targets
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 34/45
![Page 35: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/35.jpg)
Applications
API misuse detection
Use of void results from Android Java methods inJavaScriptPassing values of incompatible types between AndroidJava methods and JavaScriptWrong number of arguments to Android Java methodsfrom JavaScript
Private data leakage detection
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 35/45
![Page 36: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/36.jpg)
Application: API Misuse Detection (I)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 36/45
![Page 37: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/37.jpg)
Application: API Misuse Detection (I)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 37/45
![Page 38: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/38.jpg)
Application: API Misuse Detection (II)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 38/45
![Page 39: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/39.jpg)
Application: API Misuse Detection (II)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 39/45
![Page 40: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/40.jpg)
Application: API Misuse Detection (III)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 40/45
![Page 41: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/41.jpg)
Application: API Misuse Detection (III)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 41/45
![Page 42: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/42.jpg)
Application: Private Data Leakage Detection
Private data “sources” and “sinks” via network may beanywhere in Android Java and JavaScript.
Track flows of private data via data flow analysis anddetect possible private data leakage.
Four kinds of private data flows
Android Java (source) ⇒ JavaScript (sink)
Android Java (source) ⇒ JavaScript ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java ⇒ JavaScript (sink)
Taint analysis based on WALA’s IFDS implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 42/45
![Page 43: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/43.jpg)
Application: Private Data Leakage Detection
Private data “sources” and “sinks” via network may beanywhere in Android Java and JavaScript.
Track flows of private data via data flow analysis anddetect possible private data leakage.
Four kinds of private data flows
Android Java (source) ⇒ JavaScript (sink)
Android Java (source) ⇒ JavaScript ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java ⇒ JavaScript (sink)
Taint analysis based on WALA’s IFDS implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 42/45
![Page 44: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/44.jpg)
Application: Private Data Leakage Detection
Private data “sources” and “sinks” via network may beanywhere in Android Java and JavaScript.
Track flows of private data via data flow analysis anddetect possible private data leakage.
Four kinds of private data flows
Android Java (source) ⇒ JavaScript (sink)
Android Java (source) ⇒ JavaScript ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java ⇒ JavaScript (sink)
Taint analysis based on WALA’s IFDS implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 42/45
![Page 45: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/45.jpg)
Application: Private Data Leakage Detection
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 43/45
![Page 46: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/46.jpg)
Application: Private Data Leakage Detection
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 44/45
![Page 47: HybriDroid: Analysis Framework for Android Hybrid …need to repeat application development multiple times. Web applications cannot use device features. ... Soundy analysis framework](https://reader035.vdocument.in/reader035/viewer/2022070720/5ee12e39ad6a402d666c26f3/html5/thumbnails/47.jpg)
Limitations & Future Work
Cordova libraries
More implicit inter-language communications (?)
Android components
Concurrency
Events
Experiments with real-world hybrid applications
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 45/45