Keep Me Updated: An Empirical Study on Embedded Javascript Engines in Android Apps (MSR 2024 - Technical Papers) - MSR 2024

Mon 15 - Tue 16 April 2024 Lisbon, Portugal

co-located with ICSE 2024

Who

Elliott Wen, Jiaxiang Liu, Xiapu Luo, Giovanni Russello, Jens Dietrich

Track

MSR 2024 Technical Papers

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

When

Mon 15 Apr 2024 16:48 - 17:00 at Almada Negreiros - Mobile Apps Chair(s): Dario Di Nucci

Abstract

Although JavaScript (JS) has been widely used in mobile development, little is known about the security implications of utilizing JS engines shipped as native app libraries. In this paper, we conduct an empirical study by designing a JS-Inspector pipeline to identify the embedded JS engines in Android apps and assess their security. We investigate over 65,000 Android apps released between Jan 2018 and July 2023. The results show that many popular apps use embedded JS engines, and their engines remain outdated for extended periods. Moreover, approximately 85% of apps have not received updates since their initial release. As such, over 70% of the identified embedded engines are vulnerable to known exploits. We further present case studies of popular apps catering to millions of users. We demonstrate the exploitation of their unpatched JS engines through various strategies, including man-in-the-middle attacks, intent abuse, and malicious mini-apps. This work highlights critical security concerns associated with embedded JS engines. It emphasizes the urgency for timely updates and enhanced security measures during app development.

Elliott Wen

The University of Auckland

Jiaxiang Liu

The Hong Kong Polytechnic University

Xiapu Luo

The Hong Kong Polytechnic University

China

Giovanni Russello

University of Auckland

Jens Dietrich

Victoria University of Wellington

New Zealand

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Session Program

Mon 15 Apr
Displayed time zone: Lisbon change

	16:00 - 17:30	Mobile AppsData and Tool Showcase Track / Technical Papers at Almada Negreiros Chair(s): Dario Di Nucci University of Salerno

	16:00 12m Talk		Automating GUI-based Test Oracles for Mobile Apps Technical Papers Kesina Baral CQSE America, Jack Johnson , Junayed Mahmud George Mason University, Sabiha Salma George Mason University, Mattia Fazzini University of Minnesota, Julia Rubin University of British Columbia, Jeff Offutt George Mason University, Kevin Moran University of Central Florida
	16:12 12m Talk		Global Prosperity or Local Monopoly? Understanding the Geography of App Popularity Technical Papers Liu Wang Beijing University of Posts and Telecommunications, Conghui Zheng Beijing University of Posts and Telecommunications, Haoyu Wang Huazhong University of Science and Technology, Xiapu Luo The Hong Kong Polytechnic University, Gareth Tyson Queen Mary University of London, Yi Wang , Shangguang Wang Beijing University of Posts and Telecommunications
	16:24 12m Talk		GuiEvo: Automated Evolution of Mobile App UIs Technical Papers Sabiha Salma George Mason University, S M Hasan Mansur George Mason University, Yule Zhang George Mason University, Kevin Moran University of Central Florida
	16:36 12m Talk		Comparing Apples to Androids: Discovery, Retrieval, and Matching of iOS and Android Apps for Cross-Platform Analyses Technical Papers Magdalena Steinböck TU Wien, Jakob Bleier TU Wien, Mikka Rainer CISPA Helmholtz Center for Information Security, Tobias Urban Institute for Internet Security & secunet Security Networks AG, Christine Utz CISPA Helmholtz Center for Information Security, Martina Lindorfer TU Wien
	16:48 12m Talk		Keep Me Updated: An Empirical Study on Embedded Javascript Engines in Android Apps Technical Papers Elliott Wen The University of Auckland, Jiaxiang Liu The Hong Kong Polytechnic University, Xiapu Luo The Hong Kong Polytechnic University, Giovanni Russello University of Auckland, Jens Dietrich Victoria University of Wellington
	17:00 12m Talk		Large Language Model vs. Stack Overflow in Addressing Android Permission Related Challenges Technical Papers Sahrima Jannat Oishwee University of Saskatchewan, Natalia Stakhanova University of Saskatchewan, Zadia Codabux University of Saskatchewan, Canada
	17:12 4m Talk		DATAR: A Dataset for Tracking App Releases Data and Tool Showcase Track Yasaman Abedini Sharif University of Technology, Mohammad Hadi Hajihosseini Sharif University of Technology, Abbas Heydarnoori Bowling Green State University
	17:16 4m Talk		AndroZoo: A Retrospective with a Glimpse into the Future Data and Tool Showcase Track Marco Alecci University of Luxembourg, Pedro Jesús Ruiz Jiménez University of Luxembourg, Kevin Allix Independent Researcher, Tegawendé F. Bissyandé University of Luxembourg, Jacques Klein University of Luxembourg