Java, Python; some experience with Android and Java bytecode
The difficulty for the adversary to mount an attack on the webview interface depends on how the application loads the contents of the webview:
- Remote content loaded from any address is the easiest to exploit and requires the attacker to trick the user or app to visit a manipulated web page. For instance, some apps can be instructed to load a target URL in their webview by embedding a specially crafted intent URI in a malicious website which is then visited by the victim in a regular mobile browser.
- Remote content (from a fixed address) via plaintext HTTP requires an attacker with the ability to forge TCP packets, such that malicious contents are loaded into the webview.
- Remote content via TLS without certificate checks requires the ability to mount a man-in-the-middle attack.
- Remote content via TLS with certificate checks requires an attacker to manipulate the data on the server (or to forge certificates, where the app does not use certificate pinning).
- Static local content requires an attacker to have full control over the application image. Such an adversary would already be at the privilege level of the app, so an attack would be pointless.
The goal of this project is to build a fast static analysis to judge the difficulty for an attacker to manipulate a hybrid Android app and report vulnerable apps out of a large corpus of real-world apps from the Android app store. You will build on tools such as AndroGuard and Soot to implement the analysis and can start from an existing implementation for detecting broken certificate checking in Android (see the 2012 paper by Fahl et al.).