Achim D. Brucker, Michael Herzberg. On the Static Analysis of Hybrid Mobile Apps - A Report on the State of Apache Cordova Nation. Engineering Secure Software and Systems (ESSoS) 2016.
Developing mobile applications is a challenging business:
developers need to support multiple platforms and, at the same
time, need to cope with limited resources, as the revenue generated
by an average app is rather small. This results in an increasing
use of cross-platform development frameworks that allow developing
an app once and offering it on multiple mobile platforms such as
Android, iOS, or Windows.
Apache Cordova is a popular framework for developing
native application code. Combining web and native technologies
creates new security challenges as, e.g., an XSS attacker becomes
In this paper, we present a novel approach for statically
analysing the foreign language calls. We evaluate our approach by
analysing the top Cordova apps from Google Play. Moreover, we
report on the current state of the overall quality and security of
Keywords: Static program analysis, Static application security testing, Android, Cordova, Hybrid mobile apps