HybriDroid: Static analysis framework for android hybrid applications

HybriDroid is a novel static analysis framework for Android hybrid apps, which analyzes inter-communication between Java and JavaScript. It is useful in detecting programmer errors due to misunderstanding of inter-language communication and possible private data leakage through ad platforms.

Article | Spring 2018

Professor Sukyoung Ryu and her research team developed HybriDroid, a static analysis framework for Android hybrid applications, which can detect type-related errors and information leaks cross language boundaries. Prof. Ryu, who specializes in program analysis, collaborated with Dr. Julian Dolby from IBM Research on this research project.

Mobile applications (apps) have long invaded the realm of desktop apps, and hybrid apps are becoming a promising solution for supporting multiple mobile platforms. Providing both platform-specific functionalities via native code like native apps and user interactions via JavaScript code like web apps, hybrid apps help developers build multiple apps for different platforms without many duplicated efforts. However, most hybrid apps are developed in multiple programming languages with different semantics, which may be vulnerable to programmer errors. Moreover, because untrusted JavaScript code may access device-specific features via native code, hybrid apps may be vulnerable to various security attacks. Unfortunately, no existing tools can help hybrid app developers by detecting errors or security holes.

In this research project, Prof. Ryu’s team presented HybriDroid, a static analysis framework for Android hybrid apps. Among various hybrid apps on different platforms, they focused on Android hybrid apps because they can check their understanding of the Android hybrid semantics by investigating the publicly available Android source code. They inspected the semantics of Android hybrid apps especially for the interoperation mechanism of Java and JavaScript. Because even the Android documentation does not fully specify the semantics, they identified the semantics via extensive testing and confirmed the semantics by studying the source code. In addition, since Android hybrid apps may load multiple web pages, where each web page has its own JavaScript environment, analysis of Android hybrid apps requires analysis of interactions between a single Java environment and multiple JavaScript environments. To analyze such interactions, they analyze all web pages with the Java environment at the same time as the following figure illustrates:

 

Their modeling soundly abstracts the Android hybrid app environments, and we can further improve the modeling precision by reflecting asynchronous execution of JavaScript code in multiple pages when necessary.

They designed and implemented a static analysis framework that analyzes Android hybrid apps by constructing call graphs for both Java and JavaScript via an on-the-fly pointer analysis. Their implementation is built on top of WALA, an open-source analysis framework for Java and JavaScript, developed and maintained by IBM Research. To show possible use cases of HybriDroid, they presented two tools: a bug detector that identifies programmer errors due to the hybrid semantics and a taint analyzer that finds information leaks cross language boundaries. Their empirical evaluation showed that the tools are usable in practice in that they found previously uncovered bugs such as MethodNotFound errors due to obfuscation in real-world Android hybrid apps and possible information leaks via a widely-used advertising platform.

The developed system was presented as a paper, “HybriDroid: Static Analysis Framework for Android Hybrid Applications” at ASE’16, one of the most prominent conferences in the software engineering field, and it was officially integrated into the open-source repository of WALA, which is publicly available worldwide, in 2017. It was featured in the Electronic Times newspaper in November, 2017. HybriDroid has users in various countries including USA, China, and Germany.