HybriDroid: Analysis Framework for Android Hybrid Applications Sungho Lee, Julian Dolby, Sukyoung Ryu Programming Language Research Group KAIST June 13, 2015 Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 1/45
Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 2/45
Analyzing JavaScript Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 3/45
Analyzing JavaScript Web Applications Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 4/45
Analyzing JavaScript Web Applications in the Wild Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 5/45
Analyzing JavaScript Web Applications in the Wild (Mostly) Statically Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 6/45
Bittersweet ADB: Attacks and Defenses Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 7/45
Bittersweet ADB: Attacks and Defenses Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 8/45
Bittersweet ADB: Attacks and Defenses Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 9/45
Bittersweet ADB: Attacks and Defenses Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 10/45
Bittersweet ADB: Attacks and Defenses Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 11/45
Hey, You, Get Off of My UI Injection of Malicious Activities and Fragments to Control UI Flows Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 12/45
Motivation Many mobile platforms out there. Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 13/45
Motivation Many mobile platforms out there. Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 14/45
Motivation To support multiple platforms with native applications, need to implement one application per platform; need to repeat application development multiple times. Web applications cannot use device features. Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 15/45
Motivation Hybrid applications could be one solution. Hybrid applications use both HTML5 code (HTML, CSS, and JavaScript) and native device features, such as a camera or accelerometer. Cross-platform tools to build hybrid applications: Apache Cordova, Appcelerator Titanium, Xamarin,... Gartner Says by 2016, More Than 50 Percent of Mobile Apps Deployed Will be Hybrid http://www.gartner.com/newsroom/id/2324917 Build Once, Run Everywhere Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 16/45
Motivation Security risks for hybrid applications One Malware for multiple platforms! Building Hybrid Android Apps with Java and JavaScript http://shop.oreilly.com/product/0636920028994.do Challenges in analyzing hybrid applications They are developed in multiple programming languages with different data types, values, and semantics. Inter-language communications are not explicit but implicit; they are not well documented. Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 17/45
Hybrid Applications in Android Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 18/45
Hybrid Applications in Android Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 19/45
Hybrid Applications in Android Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 20/45
Implicit Inter-Language Communications Android Java JavaScript WebView.loadUrl("javascript:request();") WebView.loadUrl is usually for loading a given URL. When the prefix of a string argument of WebView.loadUrl is javascript:, it acts like the eval function. Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 21/45
Implicit Inter-Language Communications JavaScript Android Java WebViewClient.shouldOverrideUrlLoading WebChromeClient.onJsPrompt WebView.addJavascriptInterface (from hybrid applications developed in the Cordova framework) Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 22/45
Implicit Inter-Language Communications JavaScript Android Java WebViewClient.shouldOverrideUrlLoading Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 23/45
Implicit Inter-Language Communications JavaScript Android Java WebChromeClient.onJsPrompt Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 24/45
Implicit Inter-Language Communications JavaScript Android Java WebView.addJavascriptInterface Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 25/45
addjavascriptinterface http://developer.android.com/reference/android/webkit/webview.html Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 26/45
addjavascriptinterface JavaScript can call the Java object s methods. It can not access the Java object s fields. Only public methods annotated with JavascriptInterface can be accessed from JavaScript. Type conversions and restrictions are not specified, but... Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 27/45
Type Compatibility (by Experiments) JavaScript Android Java: function argument types int float String boolean Object Array Null (null) (null) (null) (null) (null) (null) Undefined ("undefined") Number (type conversion) (false) (null) (null) Boolean (0) (0) (type conversion) (null) (null) String (0) (0) (false) (null) (null) Object (0) (0) ("undefined") (false) (null) (null) Array (0) (0) ("undefined") (false) (null) = if the Array element type is one of primitive types; null if the Array element type is Object; 0 if the Array element type is int or float; false if the Array element type is boolean; or "undefined" if the Array element type is String. Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 28/45
Type Compatibility (by Experiments) Android Java JavaScript: function return types int float String boolean Object Array JavaScript (inexact) ({}) (undefined) Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 29/45
HybriDroid Soundy analysis framework for Android hybrid applications Support for partial but most implicit inter-language flows backed by APIs, blogs, and Dalvik VM source code Support for partial but most type compatibility backed by experiments with trials & errors Implementation on top of WALA https://github.com/sungholee/wala/tree/master/hybridroid/src/kr/ ac/kaist/hybridroid/callgraph Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 30/45
HybriDroid Implementation Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 31/45
HybriDroid Implementation Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 32/45
HybriDroid Implementation AndroidHybridCallGraphBuilder Model addjavascriptinterface by binding the Java object (first argument) with the given name (second argument) at the global scope of JavaScript Model Android Java methods as mockup objects that are accessible from JavaScript Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 33/45
HybriDroid Implementation AndroidHybridAnalysisScope Build a single analysis scope covering both Android Java and JavaScript Replace Java with Android Java in the sample JavaJavaScriptAnalysisScope class AndroidHybridMethodTargetSelector Model invocation of Android Java methods from JavaScript by selecting mockup objects constructed by AndroidHybridCallGraphBuilder as invocation targets Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 34/45
Applications API misuse detection Use of void results from Android Java methods in JavaScript Passing values of incompatible types between Android Java methods and JavaScript Wrong number of arguments to Android Java methods from JavaScript Private data leakage detection Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 35/45
Application: API Misuse Detection (I) Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 36/45
Application: API Misuse Detection (I) Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 37/45
Application: API Misuse Detection (II) Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 38/45
Application: API Misuse Detection (II) Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 39/45
Application: API Misuse Detection (III) Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 40/45
Application: API Misuse Detection (III) Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 41/45
Application: Private Data Leakage Detection Private data sources and sinks via network may be anywhere in Android Java and JavaScript. Track flows of private data via data flow analysis and detect possible private data leakage. Four kinds of private data flows Android Java (source) JavaScript (sink) Android Java (source) JavaScript Android Java (sink) JavaScript (source) Android Java (sink) JavaScript (source) Android Java JavaScript (sink) Taint analysis based on WALA s IFDS implementation Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 42/45
Application: Private Data Leakage Detection Private data sources and sinks via network may be anywhere in Android Java and JavaScript. Track flows of private data via data flow analysis and detect possible private data leakage. Four kinds of private data flows Android Java (source) JavaScript (sink) Android Java (source) JavaScript Android Java (sink) JavaScript (source) Android Java (sink) JavaScript (source) Android Java JavaScript (sink) Taint analysis based on WALA s IFDS implementation Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 42/45
Application: Private Data Leakage Detection Private data sources and sinks via network may be anywhere in Android Java and JavaScript. Track flows of private data via data flow analysis and detect possible private data leakage. Four kinds of private data flows Android Java (source) JavaScript (sink) Android Java (source) JavaScript Android Java (sink) JavaScript (source) Android Java (sink) JavaScript (source) Android Java JavaScript (sink) Taint analysis based on WALA s IFDS implementation Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 42/45
Application: Private Data Leakage Detection Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 43/45
Application: Private Data Leakage Detection Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 44/45
Limitations & Future Work Cordova libraries More implicit inter-language communications (?) Android components Concurrency Events Experiments with real-world hybrid applications Sungho Lee, Julian Dolby, Sukyoung Ryu HybriDroid: Analysis Framework for Android Hybrid Applications 45/45