Cordova应用中跨域访问行为的识别与风险评估

混合开发模式已成为当下最流行的移动应用开发模式,其中Cordova应用是市场占有率最高的混合移动应用。Cordova应用中存在一种跨域访问的安全隐患。该问题在于Cordova框架提供了一种定制内置浏览器的能力,此项能力可以被恶意应用利用来操纵不属于自己的Web资源,从而危害用户数据的安全性。为了评估现实世界中Cordova应用的跨域访问问题,设计并实现了一个自动化工具COCAScanner。该工具能够批量化地检测Cordova应用中的跨域访问行为,并且评估这些行为的风险程度。实验分析了Google Play应用商城中的7791个Cordova应用,发现10.5%的应用存在跨域访问行为,其中13.1%的应用存在风险。最后结合人工分析发现了一个应用具有跨域窃取用户账号密码的恶意行为,以及多个应用具有向其他网站植入自己广告的高风险行为。

IDENTIFICATION AND RISK ASSESSMENT OF CROSS-ORIGIN ACCESS BEHAVIOR IN CORDOVA APPLICATIONS

The hybrid development has become the most popular way to develop mobile applications,of which Cordova is the hybrid mobile application with the highest market share.There is a cross-origin access security issue in Cordova applications.The problem is that the Cordova framework provides the ability to customize a built-in browser that can be exploited by malicious applications to manipulate Web resources that are not their own,thereby jeopardizing the security of user data.In order to evaluate the cross-origin access problem of the Cordova application in the real world,an automated tool COCAScanner is designed and implemented.The tool was capable of batch testing cross-domain access behavior in Cordova applications and assessing the degree of risk of these behaviors.In the experiment,7791 Cordova applications in the Google Play app store were analyzed,and 10.5%of the apps had cross-domain access behavior,and malicious behavior of stealing user account password across domains,and many applications have high-risk behavior of inserting their own advertisements into other websites.