Fine-Grained Access Control for HTML5-Based Mobile Applications in Android

Jin, Xing; Wang, Lusha; Luo, Tongbo; Du, Wenliang

doi:10.1007/978-3-319-27659-5_22

Cited by 27 publications

(21 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Jin et al [8] addressed the security problems encountered due the existence of bridges between PhoneGap and Android, those bridges break the protection that was already implemented in the WebView because they create holes in the sandbox of the WebView usage architecture. They study the reduction of the permission reachability without effecting business model so they designed a permission based access control model to control permission usage based on frames, it allow developers to assign different permissions to different frames.…”

Section: Related Workmentioning

confidence: 99%

“…This study is based on current implementation of the latest Apache Cordova version (3.5.0) released on (June 12, 2014). Security of such platforms has recently gained the attention, several studies [1,4,8] have analyzed possible security threats and have proposed possible solutions. In this paper, our study focuses on the plugin access model implemented by Cordova framework, which to the best of our knowledge has not been addressed nor analyzed in previous studies.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Reducing Attack Surface on Cordova-based Hybrid Mobile Apps

Shehab

AlJarrah

2014

Proceedings of the 2nd International Workshop on Mobile Development Lifecycle

View full text Add to dashboard Cite

Hybrid mobile application development is increasingly being adopted by the mobile development community since it provides the answer to the challenge of having the right mix of accessibility to mobile native features at an affordable development cost. Apache Cordova library is an example of a middle-ware that enables developers of different mobile operating systems to access mobile native features through web frameworks, such as HTML and JavaScript, which at the same time introduces several security challenges. In this paper, we highlight current security setting limitations of hybrid mobile frameworks and propose a policy based approach to provide limited access to the different pages/states of the app to mitigate the effect of possible attacks. In addition, we downloaded and analyzed 622 real hybrid apps, and presented settings and security statistics.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Reducing Attack Surface on Cordova-based Hybrid Mobile Apps

Shehab

AlJarrah

2014

Proceedings of the 2nd International Workshop on Mobile Development Lifecycle

View full text Add to dashboard Cite

show abstract

“…There have been several works introducing more fine-grained access control mechanism for the cross-language interface in hybrid mobile apps, particularly Cordova, such as NoFrak [10], MobileIFC [22], and others [12,21]. They all identified the breach of the sandbox security and that Cordova fails to restrict access to plugins by untrusted JavaScript code as the major security and privacy concern.…”

Section: Security Considerations For Cordova Appsmentioning

confidence: 99%

On the Static Analysis of Hybrid Mobile Apps

Brucker

Herzberg²

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Developing mobile applications is a challenging business: developers need to support multiple platforms and, at the same time, need to cope with limited resources, as the revenue generated by an average app is rather small. This results in an increasing use of cross-platform development frameworks that allow developing an app once and offering it on multiple mobile platforms such as Android, iOS, or Windows. Apache Cordova is a popular framework for developing multi-platform apps. Cordova combines HTML5 and JavaScript with native application code. Combining web and native technologies creates new security challenges as, e. g., an XSS attacker becomes more powerful. In this paper, we present a novel approach for statically analysing the foreign language calls. We evaluate our approach by analysing the top Cordova apps from Google Play. Moreover, we report on the current state of the overall quality and security of Cordova apps.

show abstract

“…Recent works applied the access control and the privilege separation mechanisms in JavaScript and presented several sandbox mechanisms to protect its users from the malicious scripts in the traditional web applications and the HTML5 applications.…”

Section: Related Workmentioning

confidence: 99%

TD‐WS: a threat detection tool of WebSocket and Web Storage in HTML5 websites

Bai

Wang

et al. 2016

Security Comm Networks

View full text Add to dashboard Cite

The new features of HTML5 greatly increase the convenience for both web developers and users, but they also bring new security threats. Although the web‐security community has started to analyze the security threats brought by HTML5, little has been performed to address the security threats for the client‐side applications. This paper studies security issues of two popular client‐side primitives: WebSocket and Web Storage. The security threats concerned in this paper are private information stealth through WebSocket and cross‐site scripting vulnerabilities caused by lacking of sanitization for WebSocket messages and Web Storage data. We analyze the unsafe data flows of these two HTML5 primitives in detail. Based on that, we present a threat detection tool called TD‐WS, which can automatically detect the privacy leaks and the cross‐site scripting vulnerabilities in WebSocket and Web Storage applications. The results show that TD‐WS effectively detects the security threats of WebSocket and Web Storage applications. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract

Fine-Grained Access Control for HTML5-Based Mobile Applications in Android

Cited by 27 publications

References 14 publications

Reducing Attack Surface on Cordova-based Hybrid Mobile Apps

Reducing Attack Surface on Cordova-based Hybrid Mobile Apps

On the Static Analysis of Hybrid Mobile Apps

TD‐WS: a threat detection tool of WebSocket and Web Storage in HTML5 websites

Contact Info

Product

Resources

About