Access control mechanism to mitigate cordova plugin attacks in hybrid applications

Naoki Kudo, Toshihiro Yamauchi, Thomas H. Austin

Research output: Contribution to journalArticlepeer-review

3 Citations (Scopus)


Hybrid application frameworks such as Cordova are more and more popular to create platform-independent applications (apps) because they provide special APIs to access device resources in a platform-agonistic way. By using these APIs, hybrid apps can access device resources through JavaScript. In this paper, we present a novel apprepackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova’s plugin interface to steal and tamper with device resources. We address this attack and cross-site scripting attacks against hybrid apps. Since these attacks need to use plugins to access device resources, we refer to both of these attacks as Cordova plugin attacks. We further demonstrate a defense against Cordova plugin attacks through the use of a novel runtime access control mechanism that restricts access based on the mobile user’s judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to Cordova plugin attacks. Moreover, we evaluate the effectiveness and performance of our mechanism.

Original languageEnglish
Pages (from-to)396-405
Number of pages10
JournalJournal of Information Processing
Publication statusPublished - Jan 2018


  • Access control
  • Android
  • Hybrid application

ASJC Scopus subject areas

  • Computer Science(all)


Dive into the research topics of 'Access control mechanism to mitigate cordova plugin attacks in hybrid applications'. Together they form a unique fingerprint.

Cite this