Detecting Vulnerable JavaScript Libraries in Hybrid Android Applications

dc.contributor.authorVolodin, Nikita
dc.date.accessioned2019-02-15T19:56:08Z
dc.date.available2019-02-15T19:56:08Z
dc.date.issued2019-02-15
dc.date.submitted2019-02-11
dc.description.abstractSmartphone devices are very popular. There are a lot of devices being sold, a lot of applications that are created and a lot of people using those applications. However, mobile applications could only be created in the native language of the mobile platform, for example, Java for Android, or Objective-C for iOS. The concept of hybrid mobile applications was introduced, in order to help developers create mobile cross-platform applications. These hybrid application platforms allow mobile application developers to use other development languages and their ecosystems. In particular, we are focusing on Android hybrid applications created using the Apache Cordova framework, which uses JavaScript (JS) as its development language. We develop an automated method that can detect libraries used by hybrid applications that are known to be vulnerable. This search is performed by applying methods similar to Java code clone detection methods to the dynamic JavaScript language. We derive a signature from the reference JS file in a library and a signature from the unknown JS file in an application. Further, we compare those two signatures to produce a numerical similarity value indicating how close two files are. From this, we conclude whether the unknown file is identical or similar to the known reference file. From the npm repository, we collect JS libraries that are known to be vulnerable based on the vulnerability data provided by Snyk, and end up with 10 686 distinct versions across 698 distinct libraries. We also have access to roughly 100 000 carefully collected Android applications, from which we find that 5652 are Cordova based hybrid applications. We find with manual verification for ten random apps that we can match 71% of library names and 80% of library names and versions. From the analysis of the entire application set, we find that 2557 (45.24%) hybrid applications from our reference set have at least one vulnerable library. Our results show that it is possible to create a tool that conducts code clone detection for the dynamic JS language. Our approach still requires some refinement and improvements for minified JS files. However, it could be used as a stepping stone towards a very precise code clone detection tool based on JS source code analysis.en
dc.identifier.urihttp://hdl.handle.net/10012/14472
dc.language.isoenen
dc.pendingfalse
dc.publisherUniversity of Waterlooen
dc.titleDetecting Vulnerable JavaScript Libraries in Hybrid Android Applicationsen
dc.typeMaster Thesisen
uws-etd.degreeMaster of Mathematicsen
uws-etd.degree.departmentDavid R. Cheriton School of Computer Scienceen
uws-etd.degree.disciplineComputer Scienceen
uws-etd.degree.grantorUniversity of Waterlooen
uws.comment.hiddenI made sure my latex compiler does not complain about overflows. Thank you for reviewing my thesis! :)en
uws.contributor.advisorHengartner, Urs
uws.contributor.advisorNagappan, Meiyappan
uws.contributor.affiliation1Faculty of Mathematicsen
uws.peerReviewStatusUnrevieweden
uws.published.cityWaterlooen
uws.published.countryCanadaen
uws.published.provinceOntarioen
uws.scholarLevelGraduateen
uws.typeOfResourceTexten

Files

Original bundle

Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Volodin_Nikita.pdf
Size:
274.59 KB
Format:
Adobe Portable Document Format
Description:

License bundle

Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
6.08 KB
Format:
Item-specific license agreed upon to submission
Description: