Detecting Vulnerable JavaScript Libraries in Hybrid Android Applications
Loading...
Date
2019-02-15
Authors
Volodin, Nikita
Journal Title
Journal ISSN
Volume Title
Publisher
University of Waterloo
Abstract
Smartphone devices are very popular. There are a lot of devices being sold, a lot of applications that are created and a lot of people using those applications. However, mobile applications could only be created in the native language of the mobile platform, for example, Java for Android, or Objective-C for iOS. The concept of hybrid mobile applications was introduced, in order to help developers create mobile cross-platform applications. These hybrid application platforms allow mobile application developers to use other development languages and their ecosystems. In particular, we are focusing on Android hybrid applications created using the Apache Cordova framework, which uses JavaScript (JS) as its development language.
We develop an automated method that can detect libraries used by hybrid applications that are known to be vulnerable. This search is performed by applying methods similar to Java code clone detection methods to the dynamic JavaScript language. We derive a signature from the reference JS file in a library and a signature from the unknown JS file in an application. Further, we compare those two signatures to produce a numerical similarity value indicating how close two files are. From this, we conclude whether the unknown file is identical or similar to the known reference file.
From the npm repository, we collect JS libraries that are known to be vulnerable based on the vulnerability data provided by Snyk, and end up with 10 686 distinct versions across 698 distinct libraries. We also have access to roughly 100 000 carefully collected Android applications, from which we find that 5652 are Cordova based hybrid applications. We find with manual verification for ten random apps that we can match 71% of library names and 80% of library names and versions. From the analysis of the entire application set, we find that 2557 (45.24%) hybrid applications from our reference set have at least one vulnerable library.
Our results show that it is possible to create a tool that conducts code clone detection for the dynamic JS language. Our approach still requires some refinement and improvements for minified JS files. However, it could be used as a stepping stone towards a very precise code clone detection tool based on JS source code analysis.