Fine-Grained Access Control for HTML5-Based Mobile Applications in Android

  • Xing JinEmail author
  • Lusha Wang
  • Tongbo Luo
  • Wenliang Du
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7807)


HTML5-based mobile applications are becoming more and more popular because they can run on different platforms. Several newly introduced mobile OS natively support HTML5-based applications. For those that do not provide native support, such as Android, iOS, and Windows Phone, developers can develop HTML5-based applications using middlewares, such as PhoneGap. In these platforms, programs are loaded into a web component, called WebView, which can render HTML5 pages and execute JavaScript code. In order for the program to access the system resources, which are isolated from the content inside WebView due to its sandbox, bridges need to be built between JavaScript and the native code (e.g. Java code in Android). Unfortunately, such bridges break the existing protection that was originally built into WebView. In this paper, we study the potential risks of HTML5-based applications, and investigate how the existing mobile systems’ access control supports these applications. We focus on Android and the PhoneGap middleware. However, our ideas can be applied to other platforms. Our studies indicate that Android does not provide an adequate access control for this kind of applications. We propose a fine-grained access control mechanism for the bridge in Android system. We have implemented our scheme in Android and have evaluated its effectiveness and performance.


  1. 1.
  2. 2.
    The future of mobile development: Html5 vs. native apps.
  3. 3.
    Html5 vs native: The mobile app debate.
  4. 4.
  5. 5.
    Phonegap best and free cross-platform mobile app framework.
  6. 6.
  7. 7.
  8. 8.
    Crockford, D.: ADSafe.
  9. 9.
    Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: Escudo: a fine-grained protection model for web browsers. In: Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems, ICDCS 2010, pp. 231–240. IEEE Computer Society, Washington, DC (2010)Google Scholar
  10. 10.
    Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for html5-based mobile applications in android.
  11. 11.
    Leontiadis, I., Efstratiou, C., Picone, M., Mascolo, C.: Don’t kill my ads!: balancing privacy in an ad-supported mobile application market. In: Proceedings of the Twelfth Workshop on Mobile Computing Systems and Applications, HotMobile 2012, pp. 2:1–2:6. ACM, New York (2012)Google Scholar
  12. 12.
    Luo, T., Hao Hao, Du, W., Wang, Y., Yin, H.: Attacks on webview in the android system. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011, pp. 343–352. ACM, New York (2011)Google Scholar
  13. 13.
    Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with Filters, Rewriting, and Wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  14. 14.
    Maffeis, S., Taly, A.: Language-based isolation of untrusted javascript. In: Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium, CSF 2009, pp. 77–91. IEEE Computer Society, Washington, DC (2009)Google Scholar
  15. 15.
    Paul, P., Adrienne, P.F., Nunez, G., Wagner, D.: AdDroid: Privilege separation for applications and advertisers in android. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, AsiaCCS 2012 (2012)Google Scholar
  16. 16.
    Shekhar, S., Dietz, M., Wallach, D.S.: AdSplit: separating smartphone advertising from applications. In: Proceedings of the 21st USENIX conference on Security symposium, USENIX Security 2012, p. 28. USENIX Association, Berkeley (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Syracuse UniversitySyracuseUSA

Personalised recommendations