On the Static Analysis of Hybrid Mobile Apps

A Report on the State of Apache Cordova Nation
  • Achim D. BruckerEmail author
  • Michael Herzberg
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9639)


Developing mobile applications is a challenging business: developers need to support multiple platforms and, at the same time, need to cope with limited resources, as the revenue generated by an average app is rather small. This results in an increasing use of cross-platform development frameworks that allow developing an app once and offering it on multiple mobile platforms such as Android, iOS, or Windows.

Apache Cordova is a popular framework for developing multi-platform apps. Cordova combines HTML5 and JavaScript with native application code. Combining web and native technologies creates new security challenges as, e. g., an XSS attacker becomes more powerful.

In this paper, we present a novel approach for statically analysing the foreign language calls. We evaluate our approach by analysing the top Cordova apps from Google Play. Moreover, we report on the current state of the overall quality and security of Cordova apps.


Static program analysis Static application security testing Android Cordova Hybrid mobile apps 



We would like to thank Jens Heider and Stephan Huber from Fraunhofer SIT who provided us with the initial list of Cordova apps for our evaluation. This research was partially supported by the Federal Ministry for Education and Research (BMBF) in the context of the project ZertApps (


  1. 1.
    Anderson, P.: Measuring the value of static-analysis tool deployments. IEEE Secur. Priv. 10(3), 40–47 (2012)CrossRefGoogle Scholar
  2. 2.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: PLDI 2014, pp. 259–269. ACM (2014)Google Scholar
  3. 3.
    Bachmann, R., Brucker, A.D.: Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD) 38(4), 257–261 (2014)CrossRefGoogle Scholar
  4. 4.
    Batyuk, L., Herpich, M., Camtepe, S.A., Raddatz, K., Schmidt, A.D., Albayrak, S.: Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within android applications. In: Malicious and Unwanted Software (MALWARE), pp. 66–72. IEEE (2011)Google Scholar
  5. 5.
    Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., Engler, D.: A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM 53, 66–75 (2010)CrossRefGoogle Scholar
  6. 6.
    Brucker, A.D., Sodan, U.: Deploying static application security testing on a large scale. In: Katzenbeisser, S., Lotz, V., Weippl, E. (eds.) GI Sicherheit 2014, Lecture Notes in Informatics, vol. 228, pp. 91–101. GI (2014)Google Scholar
  7. 7.
    Feldthaus, A., Schafer, M., Sridharan, M., Dolby, J., Tip, F.: Efficient construction of approximate call graphs for JavaScript IDE services. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 752–761. IEEE (2013)Google Scholar
  8. 8.
    Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: automated security certification of android applications. Technical report CS-TR-4991, Department of Computer Science, University of Maryland, College Park (2009)Google Scholar
  9. 9.
    Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: CSS, pp. 38–49. ACM (2012)Google Scholar
  10. 10.
    Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: NDSS 2014. The Internet Society (2014)Google Scholar
  11. 11.
    Guha, A., Krishnamurthi, S., Jim, T.: Using static analysis for AJAX intrusion detection. In: World Wide Web, pp. 561–570. ACM (2009)Google Scholar
  12. 12.
    Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-basedmobile applications in Android. In: ISC (2013)Google Scholar
  13. 13.
    Kim, J., Yoon, Y., Yi, K., Shin, J., Center, S.: Scandal: static analyzer for detecting privacy leaks in android applications. MoST (2012)Google Scholar
  14. 14.
    Lee, S., Dolby, J., Ryu, S.: Hybridroid: Analysis framework for Android hybrid applications (2015)Google Scholar
  15. 15.
    Li, S., Tan, G.: Finding bugs in exceptional situations of JNI programs. In: CCS, pp. 442–452. ACM (2009)Google Scholar
  16. 16.
    Madsen, M., Livshits, B., Fanning, M.: Practical static analysis of javascript applications in the presence of frameworks and libraries. In: Foundations of Software Engineering, pp. 499–509. ACM (2013)Google Scholar
  17. 17.
    McGraw, G.: Software Security: Building Security In. Addison-Wesley, Boston (2006)Google Scholar
  18. 18.
    Mohr, M., Graf, J., Hecker, M.: Jodroid: Adding android support to a static information flow control tool. In: Conference on Programming Languages (2015)Google Scholar
  19. 19.
    Rubin, A.D., Geer Jr., D.E.: A survey of web security. Computer 31(9), 34–41 (1998)CrossRefGoogle Scholar
  20. 20.
    Shabtai, A., Fledel, Y., Elovici, Y.: Automated static code analysis for classifying android applications using machine learning. In: CIS, pp. 329–333. IEEE (2010)Google Scholar
  21. 21.
    Shehab, M., AlJarrah, A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Workshop on Mobile Development Lifecycle, pp. 1–8. ACM (2014)Google Scholar
  22. 22.
    Singh, K.: Practical context-aware permission control for hybrid mobile applications. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 307–327. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  23. 23.
    Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws. Wiley, New York (2011)Google Scholar
  24. 24.
    Taly, A., Erlingsson, Ú., Mitchell, J.C., Miller, M.S., Nagra, J.: Automated analysis of security-critical JavaScript apis. In: SP, pp. 363–378. IEEE (2011)Google Scholar
  25. 25.
    Tan, G., Appel, A.W., Chakradhar, S., Raghunathan, A., Ravi, S., Wang, D.: Safe Java native interface. In: Secure Software Engineering, pp. 97–106 (2006)Google Scholar
  26. 26.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. ACM Sigplan Not. 44(6), 87–97 (2009)CrossRefGoogle Scholar
  27. 27.
    Tsipenyuk, K., Chess, B., McGraw, G.: Seven pernicious kingdoms: a taxonomy of software security errors. IEEE Secur. Priv. 3(6), 81–84 (2005)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceThe University of SheffieldSheffieldUK
  2. 2.SAP SEKarlsruheGermany

Personalised recommendations