Access control for plugins in cordova-based hybrid applications

Naoki Kudo, Toshihiro Yamauchi, Thomas H. Austin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

Hybrid application frameworks such as Cordovaallow mobile application (app) developers to create platformindependent apps. The code is written in JavaScript, with special APIs to access device resources in a platform-agnostic way. In this paper, we present a novel app-repackaging attack that repackages hybrid apps with malicious code, this code can exploit Cordova's plugin interface to tamper with device resources. We further demonstrate a defense against this attack through the use of a novel runtime access control mechanism that restricts access based on the mobile user's judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to app-repackaging attacks.

Original languageEnglish
Title of host publicationProceedings - 31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1063-1069
Number of pages7
ISBN (Electronic)9781509060283
DOIs
Publication statusPublished - May 5 2017
Event31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017 - Taipei, Taiwan, Province of China
Duration: Mar 27 2017Mar 29 2017

Other

Other31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017
CountryTaiwan, Province of China
CityTaipei
Period3/27/173/29/17

Fingerprint

Application programs
Access control
Application programming interfaces (API)

Keywords

  • Access Control
  • Android
  • Hybrid Applications

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Kudo, N., Yamauchi, T., & Austin, T. H. (2017). Access control for plugins in cordova-based hybrid applications. In Proceedings - 31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017 (pp. 1063-1069). [7921024] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/AINA.2017.61

Access control for plugins in cordova-based hybrid applications. / Kudo, Naoki; Yamauchi, Toshihiro; Austin, Thomas H.

Proceedings - 31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 1063-1069 7921024.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kudo, N, Yamauchi, T & Austin, TH 2017, Access control for plugins in cordova-based hybrid applications. in Proceedings - 31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017., 7921024, Institute of Electrical and Electronics Engineers Inc., pp. 1063-1069, 31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017, Taipei, Taiwan, Province of China, 3/27/17. https://doi.org/10.1109/AINA.2017.61
Kudo N, Yamauchi T, Austin TH. Access control for plugins in cordova-based hybrid applications. In Proceedings - 31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 1063-1069. 7921024 https://doi.org/10.1109/AINA.2017.61
Kudo, Naoki ; Yamauchi, Toshihiro ; Austin, Thomas H. / Access control for plugins in cordova-based hybrid applications. Proceedings - 31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 1063-1069
@inproceedings{ac2d6d1d5be14c05879fa3e7ba03cc44,
title = "Access control for plugins in cordova-based hybrid applications",
abstract = "Hybrid application frameworks such as Cordovaallow mobile application (app) developers to create platformindependent apps. The code is written in JavaScript, with special APIs to access device resources in a platform-agnostic way. In this paper, we present a novel app-repackaging attack that repackages hybrid apps with malicious code, this code can exploit Cordova's plugin interface to tamper with device resources. We further demonstrate a defense against this attack through the use of a novel runtime access control mechanism that restricts access based on the mobile user's judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to app-repackaging attacks.",
keywords = "Access Control, Android, Hybrid Applications",
author = "Naoki Kudo and Toshihiro Yamauchi and Austin, {Thomas H.}",
year = "2017",
month = "5",
day = "5",
doi = "10.1109/AINA.2017.61",
language = "English",
pages = "1063--1069",
booktitle = "Proceedings - 31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Access control for plugins in cordova-based hybrid applications

AU - Kudo, Naoki

AU - Yamauchi, Toshihiro

AU - Austin, Thomas H.

PY - 2017/5/5

Y1 - 2017/5/5

N2 - Hybrid application frameworks such as Cordovaallow mobile application (app) developers to create platformindependent apps. The code is written in JavaScript, with special APIs to access device resources in a platform-agnostic way. In this paper, we present a novel app-repackaging attack that repackages hybrid apps with malicious code, this code can exploit Cordova's plugin interface to tamper with device resources. We further demonstrate a defense against this attack through the use of a novel runtime access control mechanism that restricts access based on the mobile user's judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to app-repackaging attacks.

AB - Hybrid application frameworks such as Cordovaallow mobile application (app) developers to create platformindependent apps. The code is written in JavaScript, with special APIs to access device resources in a platform-agnostic way. In this paper, we present a novel app-repackaging attack that repackages hybrid apps with malicious code, this code can exploit Cordova's plugin interface to tamper with device resources. We further demonstrate a defense against this attack through the use of a novel runtime access control mechanism that restricts access based on the mobile user's judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to app-repackaging attacks.

KW - Access Control

KW - Android

KW - Hybrid Applications

UR - http://www.scopus.com/inward/record.url?scp=85019698044&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85019698044&partnerID=8YFLogxK

U2 - 10.1109/AINA.2017.61

DO - 10.1109/AINA.2017.61

M3 - Conference contribution

SP - 1063

EP - 1069

BT - Proceedings - 31st IEEE International Conference on Advanced Information Networking and Applications, AINA 2017

PB - Institute of Electrical and Electronics Engineers Inc.

ER -