Abstract: In hybrid mobile applications (apps), the core code of an app is in JavaScript. Any JavaScript code in a hybrid app, local or remote, can access available APIs, including JavaScript bridges provided by a hybrid development framework, to access device resources. This JavaScript inclusion capability is dangerous since there is no mechanism to determine the origin (party) of the code to control access. Moreover, any JavaScript code running in a mobile app can access the device resources through the exposed APIs. Previous solutions are either limited to a particular platform (e.g., Android) or a specific hybrid framework (e.g., Cordova) or only protect the device resources and disregard the sensitive elements in the web environment. Furthermore, most solutions require modification of the base platform. In this article, we propose a novel policy enforcement framework to enforce useful fine-grained security and privacy policies based on permission for each party in hybrid mobile apps. In contrast to the conventional permission model in mobile apps, our permission specification is platform-agnostic and context-aware. This new permission specification allows app developers to customize for different parties over single permission. We integrate our permission specification into an app at the development phase; however, by design, it allows end-users to adjust parameters at runtime to protect their privacy. Together with multi-party permission patterns, we introduce comprehensive classes of expensive fine-grained, stateful policies that developers can deploy in practice. These policy patterns can help to protect the privacy of users and can also mitigate significant types of potential attacks in hybrid apps, evidenced by our real-world evaluation. Our experimental results also demonstrate that the framework is compatible with various hybrid development frameworks over two major mobile platforms, with lightweight overhead.
Keywords: Security, permission, privacy, hybrid mobile apps
