混合式Android應用程式安全機制之研究

Abstract

現今混合式的手機應用程式已經被大量地在智慧型手機中使用，這些應用程式已經是使用HTML5與手機作業系統的原生語言來設計的。這些程式設計師利用WebView這一個元件載入HTML5的網頁並且利用addJavavscriptInterface這一個API註冊WebView與原生語言的溝通管道。然而，這些溝通管道有可能發生安全性的危害。惡意網頁有可能會被WebView載入並且利用這些溝通管道攻擊手機。 在這一篇論文中，我們提出了一個framework來保護這一個溝通管道。這個framework包含了兩個部分，第一部分利用fined-grained access control來防止惡意網頁存取這個溝通管道，第二部分利用機器學習來偵測溝通管道的使用是否正常。根據實驗結果，這一個framework可以有效的防止溝通管道的惡意存取。

Hybrid mobile applications have been widely used in the modern smartphones. These applications are implemented in HTML5 and the native language of the operating system. The developers use WebView components to wrap the part of HTML5 and register the communication channel between WebView and the part of native language. However, the communication channel is vulnerable. Malicious web pages may be loaded in the WebView and attack the device through the communication channel. In this thesis, we proposed a framework to protect the communication channel. This framework includes two parts. The first one is fined-grained access control which protects the communication channel. The second is malicious bridge API call detection which detects the malicious usage of the communication channel. According to the experimental result, the proposed framework blocks malicious access efficiently. Moreover, the second approach achieves high accuracy and reduces the labeled training data at the same time.