Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Article type: Research Article
Authors: Phung, Phu H.a; * | Reddy, Rakesh S.V.a | Cap, Stevena | Pierce, Anthonya | Mohanty, Abhinavb | Sridhar, Meerab
Affiliations: [a] Intelligent Systems Security Lab, Department of Computer Science, University of Dayton, Dayton, OH, USA. E-mails: phu@udayton.edu, sunkaralakuntavenkr1@udayton.edu, caps01@udayton.edu, piercea7@udayton.edu | [b] Department of Software and Information Systems, University of North Carolina at Charlotte, Charlotte, NC, USA. E-mails: amohant1@uncc.edu, msridhar@uncc.edu
Correspondence: [*] Corresponding author. E-mail: phu@udayton.edu; URL: http://academic.udayton.edu/PhuPhung/.
Abstract: In hybrid mobile applications (apps), the core code of an app is in JavaScript. Any JavaScript code in a hybrid app, local or remote, can access available APIs, including JavaScript bridges provided by a hybrid development framework, to access device resources. This JavaScript inclusion capability is dangerous since there is no mechanism to determine the origin (party) of the code to control access. Moreover, any JavaScript code running in a mobile app can access the device resources through the exposed APIs. Previous solutions are either limited to a particular platform (e.g., Android) or a specific hybrid framework (e.g., Cordova) or only protect the device resources and disregard the sensitive elements in the web environment. Furthermore, most solutions require modification of the base platform. In this article, we propose a novel policy enforcement framework to enforce useful fine-grained security and privacy policies based on permission for each party in hybrid mobile apps. In contrast to the conventional permission model in mobile apps, our permission specification is platform-agnostic and context-aware. This new permission specification allows app developers to customize for different parties over single permission. We integrate our permission specification into an app at the development phase; however, by design, it allows end-users to adjust parameters at runtime to protect their privacy. Together with multi-party permission patterns, we introduce comprehensive classes of expensive fine-grained, stateful policies that developers can deploy in practice. These policy patterns can help to protect the privacy of users and can also mitigate significant types of potential attacks in hybrid apps, evidenced by our real-world evaluation. Our experimental results also demonstrate that the framework is compatible with various hybrid development frameworks over two major mobile platforms, with lightweight overhead.
Keywords: Security, permission, privacy, hybrid mobile apps
DOI: 10.3233/JCS-191350
Journal: Journal of Computer Security, vol. 28, no. 3, pp. 375-404, 2020
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
sales@iospress.com
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
info@iospress.nl
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office info@iospress.nl
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
china@iospress.cn
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
如果您在出版方面需要帮助或有任何建, 件至: editorial@iospress.nl