Abstract
HTML5-based mobile applications are becoming more and more popular because they can run on different platforms. Several newly introduced mobile OS natively support HTML5-based applications. For those that do not provide native support, such as Android, iOS, and Windows Phone, developers can develop HTML5-based applications using middlewares, such as PhoneGap. In these platforms, programs are loaded into a web component, called WebView, which can render HTML5 pages and execute JavaScript code. In order for the program to access the system resources, which are isolated from the content inside WebView due to its sandbox, bridges need to be built between JavaScript and the native code (e.g. Java code in Android). Unfortunately, such bridges break the existing protection that was originally built into WebView. In this paper, we study the potential risks of HTML5-based applications, and investigate how the existing mobile systems’ access control supports these applications. We focus on Android and the PhoneGap middleware. However, our ideas can be applied to other platforms. Our studies indicate that Android does not provide an adequate access control for this kind of applications. We propose a fine-grained access control mechanism for the bridge in Android system. We have implemented our scheme in Android and have evaluated its effectiveness and performance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
The future of mobile development: Html5 vs. native apps. http://www.businessinsider.com/html5-vs-native-apps-for-mobile-2013-4?op=1/
Html5 vs native: The mobile app debate. http://www.html5rocks.com/en/mobile/nativedebate/
Phonegap best and free cross-platform mobile app framework. http://crossplatformappmart.blogspot.com/2013/03/phonegap-best-free-cross-platform.html
The shared future of html5 and native apps. http://itbusinessedge.com/blogs/data-and-telecom/the-shared-future-of-html5-and-native-apps.html/
Html5 sandbox attribute. http://www.whatwg.org/specs/web-apps/current-work/#attr-iframe-sandbox, 2010
Crockford, D.: ADSafe. http://www.adsafe.org
Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: Escudo: a fine-grained protection model for web browsers. In: Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems, ICDCS 2010, pp. 231–240. IEEE Computer Society, Washington, DC (2010)
Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for html5-based mobile applications in android. http://www.cis.syr.edu/wedu/Research/paper/phonegap_isc2013.pdf
Leontiadis, I., Efstratiou, C., Picone, M., Mascolo, C.: Don’t kill my ads!: balancing privacy in an ad-supported mobile application market. In: Proceedings of the Twelfth Workshop on Mobile Computing Systems and Applications, HotMobile 2012, pp. 2:1–2:6. ACM, New York (2012)
Luo, T., Hao Hao, Du, W., Wang, Y., Yin, H.: Attacks on webview in the android system. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 343–352. ACM, New York (2011)
Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with Filters, Rewriting, and Wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009)
Maffeis, S., Taly, A.: Language-based isolation of untrusted javascript. In: Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium, CSF 2009, pp. 77–91. IEEE Computer Society, Washington, DC (2009)
Paul, P., Adrienne, P.F., Nunez, G., Wagner, D.: AdDroid: Privilege separation for applications and advertisers in android. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, AsiaCCS 2012 (2012)
Shekhar, S., Dietz, M., Wallach, D.S.: AdSplit: separating smartphone advertising from applications. In: Proceedings of the 21st USENIX conference on Security symposium, USENIX Security 2012, p. 28. USENIX Association, Berkeley (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Jin, X., Wang, L., Luo, T., Du, W. (2015). Fine-Grained Access Control for HTML5-Based Mobile Applications in Android. In: Desmedt, Y. (eds) Information Security. Lecture Notes in Computer Science(), vol 7807. Springer, Cham. https://doi.org/10.1007/978-3-319-27659-5_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-27659-5_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27658-8
Online ISBN: 978-3-319-27659-5
eBook Packages: Computer ScienceComputer Science (R0)