CRII: SaTC: A Language Based Approach to Hybrid Mobile App Security

The last few years have seen an explosive growth in the share of hybrid mobile apps worldwide, coinciding with the increasing ubiquity of HTML5. Hybrid app frameworks allow mobile developers to design app code using web technologies alone, and supply native and bridge code (APIs for accessing device resources) necessary for instant porting to several mobile platforms.

This research will develop techniques to mitigate critical security and privacy vulnerabilities in hybrid app frameworks, by creating an airtight security model robust against bridge exploits, and minimizing the overall attack surface of the hybrid framework. In a global society increasingly reliant on mobile technology, mobile app security constitutes a pressing responsibility, and impacts several sections of society, including children. This project will provide a significant contribution towards meeting this challenge. Case studies, practical examples, and research experience gained from this project will be integrated into graduate-level courses, especially Master's and certificate programs in cyber-security. Additionally, interesting techniques and examples developed in this project will be incorporated into curricula specifically targeted for women in computing initiatives, with the objective of attracting and retaining more women in computing fields.

This research will explore extension of powerful language-based security techniques, in-lined reference monitoring (IRM) and static analysis, to the novel and significant problem domain of hybrid app security. The research has three major goals: 1) defining a systematic mapping of the hybrid app attack surface, and establishing a class of security policies that target effective language-based enforcement; 2) adapting the IRM approach to the complex, cross-platform hybrid software stack, including effective complete mediation for seamless protection and tamper-proofing of the monitoring system; 3) designing an effective static-analysis algorithm to infer fine-grained permissions-regions for pages in a hybrid app. These permissions regions will improve bridge access granularity, and serve as security policy models for integration into the IRM framework for enforcement. These goals will serve towards building automatic protection technologies for hybrid apps, transparent enforcement that preserves the functionality of safe apps, and retroactive enforcement that can be applied to vulnerable apps in the wild.