Access control mechanism to mitigate cordova plugin attacks in hybrid applications

Naoki Kudo, Toshihiro Yamauchi, Thomas H. Austin

Research output: Contribution to journalArticle

Abstract

Hybrid application frameworks such as Cordova are more and more popular to create platform-independent applications (apps) because they provide special APIs to access device resources in a platform-agonistic way. By using these APIs, hybrid apps can access device resources through JavaScript. In this paper, we present a novel apprepackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova’s plugin interface to steal and tamper with device resources. We address this attack and cross-site scripting attacks against hybrid apps. Since these attacks need to use plugins to access device resources, we refer to both of these attacks as Cordova plugin attacks. We further demonstrate a defense against Cordova plugin attacks through the use of a novel runtime access control mechanism that restricts access based on the mobile user’s judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to Cordova plugin attacks. Moreover, we evaluate the effectiveness and performance of our mechanism.

LanguageEnglish
Pages396-405
Number of pages10
JournalJournal of Information Processing
Volume26
DOIs
Publication statusPublished - Jan 1 2018

Fingerprint

Access control
Application programming interfaces (API)

Keywords

  • Access control
  • Android
  • Hybrid application

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Access control mechanism to mitigate cordova plugin attacks in hybrid applications. / Kudo, Naoki; Yamauchi, Toshihiro; Austin, Thomas H.

In: Journal of Information Processing, Vol. 26, 01.01.2018, p. 396-405.

Research output: Contribution to journalArticle

@article{4cb33ed4f1904fdbaf5c0dfb21edf5e5,
title = "Access control mechanism to mitigate cordova plugin attacks in hybrid applications",
abstract = "Hybrid application frameworks such as Cordova are more and more popular to create platform-independent applications (apps) because they provide special APIs to access device resources in a platform-agonistic way. By using these APIs, hybrid apps can access device resources through JavaScript. In this paper, we present a novel apprepackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova’s plugin interface to steal and tamper with device resources. We address this attack and cross-site scripting attacks against hybrid apps. Since these attacks need to use plugins to access device resources, we refer to both of these attacks as Cordova plugin attacks. We further demonstrate a defense against Cordova plugin attacks through the use of a novel runtime access control mechanism that restricts access based on the mobile user’s judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to Cordova plugin attacks. Moreover, we evaluate the effectiveness and performance of our mechanism.",
keywords = "Access control, Android, Hybrid application",
author = "Naoki Kudo and Toshihiro Yamauchi and Austin, {Thomas H.}",
year = "2018",
month = "1",
day = "1",
doi = "10.2197/ipsjjip.26.396",
language = "English",
volume = "26",
pages = "396--405",
journal = "Journal of Information Processing",
issn = "0387-5806",
publisher = "Information Processing Society of Japan",

}

TY - JOUR

T1 - Access control mechanism to mitigate cordova plugin attacks in hybrid applications

AU - Kudo, Naoki

AU - Yamauchi, Toshihiro

AU - Austin, Thomas H.

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Hybrid application frameworks such as Cordova are more and more popular to create platform-independent applications (apps) because they provide special APIs to access device resources in a platform-agonistic way. By using these APIs, hybrid apps can access device resources through JavaScript. In this paper, we present a novel apprepackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova’s plugin interface to steal and tamper with device resources. We address this attack and cross-site scripting attacks against hybrid apps. Since these attacks need to use plugins to access device resources, we refer to both of these attacks as Cordova plugin attacks. We further demonstrate a defense against Cordova plugin attacks through the use of a novel runtime access control mechanism that restricts access based on the mobile user’s judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to Cordova plugin attacks. Moreover, we evaluate the effectiveness and performance of our mechanism.

AB - Hybrid application frameworks such as Cordova are more and more popular to create platform-independent applications (apps) because they provide special APIs to access device resources in a platform-agonistic way. By using these APIs, hybrid apps can access device resources through JavaScript. In this paper, we present a novel apprepackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova’s plugin interface to steal and tamper with device resources. We address this attack and cross-site scripting attacks against hybrid apps. Since these attacks need to use plugins to access device resources, we refer to both of these attacks as Cordova plugin attacks. We further demonstrate a defense against Cordova plugin attacks through the use of a novel runtime access control mechanism that restricts access based on the mobile user’s judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to Cordova plugin attacks. Moreover, we evaluate the effectiveness and performance of our mechanism.

KW - Access control

KW - Android

KW - Hybrid application

UR - http://www.scopus.com/inward/record.url?scp=85047077748&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85047077748&partnerID=8YFLogxK

U2 - 10.2197/ipsjjip.26.396

DO - 10.2197/ipsjjip.26.396

M3 - Article

VL - 26

SP - 396

EP - 405

JO - Journal of Information Processing

T2 - Journal of Information Processing

JF - Journal of Information Processing

SN - 0387-5806

ER -