Secure HybridApp: A detection method on the risk of privacy leakage in HTML5 hybrid applications based on dynamic taint tracking

摘要

In the past few years, HTML5-based mobile applications are becoming more and more popular because they can run across different platforms, which greatly reduces the developing cost and improves the production efficiency. This kind of app is also called hybrid app. It can access the platform resources mostly like a native app with the help of many third-party frameworks. As we all know, web apps are prone to many kinds of attacks which can cause privacy leakage. HTML5 apps are a kind of web app, which means they can also be attacked by these web attacking methods. Due to the dynamic nature of hybrid apps, it is very hard to analyze the malicious behavior in them based on static or dynamic code analysis. But dynamic taint tracking method is very suitable for this task, it treats the user privacy as taint data and check whether it will be leaked out through illegal channels. Once this kind of action is found, we can stop it immediately and notice the app user about it. In this paper, we mainly talk about the privacy data, the privacy leakage channels in HTML5 hybrid apps. And we propose a dynamic method to avoid privacy leakage based on dynamic taint tracking in Android. It can be applied to other systems.