Reducing Attack Surface on Cordova-Based Hybrid Mobile Apps Mohamed Shehab Abeer AlJarrah Department of Software and Information Systems University of North Carolina at Charlotte Charlotte, NC, USA fmshehab,[email protected] Abstract proach proved to be a promising development solution for Hybrid mobile application development is increasingly be- building generic apps, supported by ready non-commercial ing adopted by the mobile development community since it tools[10, 13]. As this approach is expected to be the future provides the answer to the challenge of having the right mix of mobile development [7], many platforms are competing in of accessibility to mobile native features at an affordable de- the cross-platform hybrid mobile development market based velopment cost. Apache Cordova library is an example of on the services the platform provide to the developer such as a middle-ware that enables developers of different mobile supported platforms, access to native device functions, back- operating systems to access mobile native features through end support and other performance issues. web frameworks, such as HTML and JavaScript, which at Apache Cordova is a middle-ware library that enables ac- the same time introduces several security challenges. In this cess to native device functions by providing a set of APIs paper, we highlight current security setting limitations of that supports interaction with native device functions or hybrid mobile frameworks and propose a policy based ap- “plugins” through Javascript. This library is a key compo- proach to provide limited access to the different pages/states nent of many hybrid platforms including PhoneGap, IBM of the app to mitigate the effect of possible attacks. In addi- Worklight, and App Builder. tion, we downloaded and analyzed 622 real hybrid apps, and In this paper, we analyze the architectural and security de- presented settings and security statistics. tails of the Apache Cordova based frameworks and highlight possible threats on Apps generated using these frameworks. Categories and Subject Descriptors D.4.6 [Security and This study is based on current implementation of the latest Protection]: Access controls; D.2.9 [Software Manage- Apache Cordova version (3.5.0) released on (June 12, 2014). ment]: Software development Security of such platforms has recently gained the atten- Keywords Cross-Platform, Apache Cordova, Access Con- tion, several studies [1, 4, 8] have analyzed possible security trol, Hybrid, PhoneGap threats and have proposed possible solutions. In this paper, our study focuses on the plugin access model implemented 1. Introduction by Cordova framework, which to the best of our knowledge has not been addressed nor analyzed in previous studies. It is The revolution of mobile technologies in terms of hardware important to analyze what security models are implemented and software has created a shift towards investing more in to protect user’s device against possible compromises, es- this landscape. One of the latest revolutions in this area was pecially since all the threats of web based apps can easily the introduction of cross-platform mobile hybrid applica- be transformed to hybrid apps. The current security model tion development which enables developers to code their of the Cordova framework provides a coarse-grained based apps using the standard web stack (HTML, JS, and CSS) plugin access control model where access is granted at the that can access native device functions like-native then pack- app level. In this paper we propose a page based access con- ages these apps towards multiple mobile platforms. This ap- trol model that enables developers to limit the access granted to the different pages of the app. We summarize our contri- Permission to make digital or hard copies of all or part of this work for personal or butions as follows: classroom use is granted without fee provided that copies are not made or distributed - We propose a framework that enables developers to have for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM more control over the plugins exposure to each page of must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, the app, and to specify access policy rules to control to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. plugin access. MobileDeLi ’14, October 21, 2014, Portland, OR, USA. Copyright c 2014 ACM 978-1-4503-2190-7/14/10. $15.00. http://dx.doi.org/10.1145/2688412.2688417 - We analyze a repository of 662 hybrid (Cordova-based) is able to receive data directly from the embedded Web- Android Apps in order to understand developers prac- View by injecting a native Java object into the WebView. tices, apps structure and plugin usage patterns. The object is injected into the currently loaded JavaScript context and the object is accessible through the supplied The rest of the paper is organized as follows: In Section 2, name. Through this Java to JavaScript interface, the injected we provide a brief background of hybrid mobile frameworks Java object’s methods are accessible from JavaScript. Fig- and focus on the details related to the Apache Cordova li- ure 2 demonstrates how a native object is injected into the brary. Section 3 discusses the different security threats in WebView using the addJavascriptInterface method. Cordova-based hybrid mobile frameworks. Section 4 de- tails our proposed page based access framework. Section 5 class JsObject { Native Java public String save(String data) { presents detailed analysis of the downloaded mobile hybrid //save data return "value"; apps. Section 6 provides discussion of the related work. Sec- } tion 7 discusses the future extensions and paper conclusion. } webview.addJavascriptInterface(new JsObject(), "injectedObject"); JavaScript 2. Preliminaries var value = injectedObject.save("data"); Cross-platform hybrid mobile framework manages the con- Figure 2: WebView javascript interface nection between the native app and the embedded web browser component. It enables the app’s JavaScript to com- municate with the native application programming interfaces 2.1 Apache Cordova Library (APIs) to access native resources, such as the network, cam- There are several cross-platform frameworks that implement era, GPS and contacts. In addition, several frameworks pro- Apache Cordova library, we focus on the PhoneGap frame- vide several settings to control and setup the communication work which is a popular framework that uses the Apache channel between the embedded web browser component and Cordova engine as a middleware that provides APIs to es- the hosting native app. tablish communication channels between native code and The web browser component is a user interface compo- JavaScript. In this section, we discuss the details of the nent that can be embedded in a native mobile app to render hybrid PhoneGap apps that target the Android framework, (HTML/CSS) content and execute JavaScript. This compo- and we explain the details of the Cordova implementation nent is available in different mobile frameworks, WebView in the Android framework. Similar overall context applies in Android, UIWebView in iOS, and WebBrowser in Win- for other mobile frameworks that use the Cordova library. dows Phone. In this paper we will focus on Android plat- The Cordova library defines the native (Java) to JavaScript form because of its openness; however, our discussion is interfaces through the WebView interface. The native li- applicable to other platforms as well. The WebView com- brary provides native APIs that are developed as native ponent uses the WebKit rendering engine to display web classes which are referred as plugins or features. These pages, in addition the WebView component executes the plugins include the native code required to access native scripts (JavaScript) imported or included in the page. The device resources such as location services, camera, and con- WebView is embedded in a native app that can control the tacts. In addition to the PhoneGap provided plugins devel- embedded WebView. For example, the native app can load opers can create and include customized third party plu- a URL in the WebView or execute JavaScript in the cur- gins, which requires the definition of both native plugin rently rendered page. Figure 1 demonstrates how the We- libraries and their corresponding JavaScript interfaces. In bView loadUrl method can be used to load a specific URL PhoneGap the app configuration file (config.xml) is used and execute JavaScript in the context of the currently ren- to specify the app settings, such as the plugins to be in- dered page. cluded, the application orientation (landscape, or portrait) WebView webview = new WebView(this); and many other settings. Plugins are included in the app by setContentView(webview); declaring feature tags specifying the plugin library in the webview.getSettings().setJavaScriptEnabled(true); config.xml file, figure 3 shows an example config file which webview.loadUrl("http://www.uncc.edu"); includes the Accelerometer and Compass plugins. Note that webview.loadUrl("javascript:alert('hello');"); the org.apache.cordova.devicemotion.AccelListener, is Figure 1: WebView example the native plugin class name which contains the plugin meth- ods that access the native accelerometer APIs. The developer can customize the WebView’s behav-