BridgeTaint: A Bi-Directional Dynamic Taint Tracking Method for JavaScript Bridges in Android Hybrid Applications

Hybrid applications (apps) are becoming more and more popular due to their cross-platform capabilities and high performance. These apps use the JavaScript (JS) bridge communication scheme to interoperate between native code and Web code. Although greatly extending the functionalities of hybrid apps by enabling cross-language invocations and making them more powerful, the bridge communication scheme might also cause some new security issues, e.g., cross-language code injection attacks and privacy leaks. In this paper, we propose BridgeTaint, a bi-directional dynamic taint tracking method that can detect bridge security issues in hybrid apps. BridgeTaint uses a method different from existing ones to track tainted data: it records the taint information of sensitive data when the data are transmitted through the bridge, and uses a cross-language taint mapping method to restore the taint tags of corresponding data. Such a novel design enables BridgeTaint to dynamically track tainted data during the execution of the app and analyze hybrid apps developed using frameworks, which cannot be done with existing solutions based on static code analyses. Based on BridgeTaint, we implement the BridgeInspector tool to detect cross-language privacy leaks and code injection attacks in hybrid apps using JS bridges. A benchmark called BridgeBench is also developed for bridge communication security test. The experimental results on BridgeBench and 1172 apps from Android market demonstrate that BridgeInspector can effectively detect potential privacy leaks and cross-language code injection attacks in hybrid apps using bridge communications.