HybriDroid: Analysis Framework for

Android Hybrid Applications

Sungho Lee, Julian Dolby, Sukyoung Ryu

Programming Language Research Group

KAIST

June 13, 2015

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 1/45

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 2/45

Analyzing JavaScript

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 3/45

Analyzing JavaScript Web Applications

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 4/45

Analyzing JavaScript Web Applications in theWild

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 5/45

Analyzing JavaScript Web Applications in theWild (Mostly) Statically

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 6/45

Bittersweet ADB: Attacks and Defenses

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 7/45

Bittersweet ADB: Attacks and Defenses

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 8/45

Bittersweet ADB: Attacks and Defenses

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 9/45

Bittersweet ADB: Attacks and Defenses

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 10/45

Bittersweet ADB: Attacks and Defenses

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 11/45

Hey, You, Get Off of My UI

Injection of Malicious Activities and Fragments to Control UIFlows

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 12/45

Motivation

Many mobile platforms out there.

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 13/45

Motivation

Many mobile platforms out there.

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 14/45

Motivation

To support multiple platforms with native applications,

need to implement one application per platform;

need to repeat application development multiple times.

Web applications cannot use device features.

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 15/45

Motivation

Hybrid applications could be one solution.

Hybrid applications use both HTML5 code (HTML, CSS,and JavaScript) and native device features, such as acamera or accelerometer.

Cross-platform tools to build hybrid applications:Apache Cordova, Appcelerator Titanium, Xamarin, . . .

“Gartner Says by 2016, More Than 50 Percent of MobileApps Deployed Will be Hybrid”http://www.gartner.com/newsroom/id/2324917

“Build Once, Run Everywhere”

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 16/45

Motivation

Security risks for hybrid applications

One Malware for multiple platforms!

“Building Hybrid Android Apps with Java and JavaScript”http://shop.oreilly.com/product/0636920028994.do

Challenges in analyzing hybrid applications

They are developed in multiple programming languageswith different data types, values, and semantics.Inter-language communications are not explicit butimplicit; they are not well documented.

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 17/45

Hybrid Applications in Android

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 18/45

Hybrid Applications in Android

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 19/45

Hybrid Applications in Android

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 20/45

Implicit Inter-Language Communications

Android Java ⇒ JavaScript

WebView.loadUrl("javascript:request();")

WebView.loadUrl is usually for loading a given URL.

When the prefix of a string argument ofWebView.loadUrl is “javascript:”, it acts like theeval function.

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 21/45

Implicit Inter-Language Communications

JavaScript ⇒ Android Java

WebViewClient.shouldOverrideUrlLoading

WebChromeClient.onJsPrompt

WebView.addJavascriptInterface

(from hybrid applications developed in the Cordova framework)

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 22/45

Implicit Inter-Language Communications

JavaScript ⇒ Android Java

WebViewClient.shouldOverrideUrlLoading

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 23/45

Implicit Inter-Language Communications

JavaScript ⇒ Android Java

WebChromeClient.onJsPrompt

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 24/45

Implicit Inter-Language Communications

JavaScript ⇒ Android Java

WebView.addJavascriptInterface

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 25/45

addJavascriptInterfacehttp://developer.android.com/reference/android/webkit/WebView.html

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 26/45

addJavascriptInterface

JavaScript can call the Java object’s methods.

It can not access the Java object’s fields.

Only public methods annotated with JavascriptInterface

can be accessed from JavaScript.

Type conversions and restrictions are not specified, but ...

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 27/45

Type Compatibility (by Experiments)

JavaScript ⇒ Android Java: function argument types

int float String boolean Object Array

Null 7(null) 7(null) 7(null) 7(null) 7(null) 7(null)Undefined 7 7 7("undefined") 7 7 7Number 3 3 3(type conversion) 7(false) 7(null) 7(null)Boolean 7(0) 7(0) 3(type conversion) 3 7(null) 7(null)String 7(0) 7(0) 3 7(false) 7(null) 7(null)Object 7(0) 7(0) 7("undefined") 7(false) 7(null) 7(null)Array 7(0) 7(0) 7("undefined") 7(false) 7(null) <

< = 3 if the Array element type is one of primitive types;null if the Array element type is Object;0 if the Array element type is int or float;false if the Array element type is boolean; or"undefined" if the Array element type is String.

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 28/45

Type Compatibility (by Experiments)

Android Java ⇒ JavaScript: function return types

int float String boolean Object Array

JavaScript 3 3(inexact) 3 3 7({}) 7(undefined)

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 29/45

HybriDroid

Soundy analysis framework for Android hybrid applications

Support for partial but most implicit inter-language flowsbacked by APIs, blogs, and Dalvik VM source code

Support for partial but most type compatibilitybacked by experiments with trials & errors

Implementation on top of WALA

https://github.com/SunghoLee/WALA/tree/master/HybriDroid/src/kr/

ac/kaist/hybridroid/callgraph

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 30/45

HybriDroid Implementation

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 31/45

HybriDroid Implementation

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 32/45

HybriDroid Implementation

AndroidHybridCallGraphBuilder

Model addJavascriptInterface by binding the Javaobject (first argument) with the given name (secondargument) at the global scope of JavaScriptModel Android Java methods as mockup objects thatare accessible from JavaScript

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 33/45

HybriDroid Implementation

AndroidHybridAnalysisScope

Build a single analysis scope covering both Android Javaand JavaScriptReplace Java with Android Java in the sampleJavaJavaScriptAnalysisScope class

AndroidHybridMethodTargetSelector

Model invocation of Android Java methods fromJavaScript by selecting mockup objects constructed byAndroidHybridCallGraphBuilder as invocation targets

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 34/45

Applications

API misuse detection

Use of void results from Android Java methods inJavaScriptPassing values of incompatible types between AndroidJava methods and JavaScriptWrong number of arguments to Android Java methodsfrom JavaScript

Private data leakage detection

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 35/45

Application: API Misuse Detection (I)

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 36/45

Application: API Misuse Detection (I)

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 37/45

Application: API Misuse Detection (II)

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 38/45

Application: API Misuse Detection (II)

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 39/45

Application: API Misuse Detection (III)

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 40/45

Application: API Misuse Detection (III)

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 41/45

Application: Private Data Leakage Detection

Private data “sources” and “sinks” via network may beanywhere in Android Java and JavaScript.

Track flows of private data via data flow analysis anddetect possible private data leakage.

Four kinds of private data flows

Android Java (source) ⇒ JavaScript (sink)

Android Java (source) ⇒ JavaScript ⇒ Android Java (sink)

JavaScript (source) ⇒ Android Java (sink)

JavaScript (source) ⇒ Android Java ⇒ JavaScript (sink)

Taint analysis based on WALA’s IFDS implementation

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 42/45

Application: Private Data Leakage Detection

Private data “sources” and “sinks” via network may beanywhere in Android Java and JavaScript.

Track flows of private data via data flow analysis anddetect possible private data leakage.

Four kinds of private data flows

Android Java (source) ⇒ JavaScript (sink)

Android Java (source) ⇒ JavaScript ⇒ Android Java (sink)

JavaScript (source) ⇒ Android Java (sink)

JavaScript (source) ⇒ Android Java ⇒ JavaScript (sink)

Taint analysis based on WALA’s IFDS implementation

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 42/45

Application: Private Data Leakage Detection

Private data “sources” and “sinks” via network may beanywhere in Android Java and JavaScript.

Track flows of private data via data flow analysis anddetect possible private data leakage.

Four kinds of private data flows

Android Java (source) ⇒ JavaScript (sink)

Android Java (source) ⇒ JavaScript ⇒ Android Java (sink)

JavaScript (source) ⇒ Android Java (sink)

JavaScript (source) ⇒ Android Java ⇒ JavaScript (sink)

Taint analysis based on WALA’s IFDS implementation

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 42/45

Application: Private Data Leakage Detection

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 43/45

Application: Private Data Leakage Detection

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 44/45

Limitations & Future Work

Cordova libraries

More implicit inter-language communications (?)

Android components

Concurrency

Events

Experiments with real-world hybrid applications

Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 45/45