Understanding JavaScript Vulnerabilities in Large Real-World Android Applications

JavaScript-related vulnerabilities are becoming a major security threat to hybrid mobile applications. In this article, we present a systematic study to understand how JavaScript is used in real-world Android apps and how it may lead to security vulnerabilities. We first conduct an empirical study on the top 100 most popular Android apps to investigate the JavaScript usage and the related security vulnerabilities. Our study identifies four categories of JavaScript usage and finds that three categories of them, if inappropriately used, can respectively lead to three types of vulnerabilities. We further design and implement an automatic tool named JSDroid to detect JavaScript-related vulnerabilities. We have applied JSDroid to 1,000 large-scale real-world Android apps and found that over 70% of these apps involve potential JavaScript-related vulnerabilities and 20% of them can be successfully exploited. Moreover, based on the vulnerabilities identified by JSDroid, we have successfully launched real attacks on 30 real-world apps.