Treffer: WebViewJSdetect: Javascript vulnerability detection in android webview via coverage-guided thread-adaptive concurrent abstract interpretation.

Android WebView enables applications to embed web content within native User Interface (UI), wherein embedded JavaScript codes often require elevated privileges to perform operations such as cross-origin requests and access to sensitive data. While these JavaScript codes provide enhanced functionalities, they also introduce potential security risks, such as unauthorized API access and privilege escalation. Existing static analysis approaches fall short in adequately modeling JavaScript's dynamic features and its runtime interactions with Java interfaces, which results in false negatives for deeply triggered vulnerabilities that are exposed through dynamic execution paths. Furthermore, the lack of priority-guided analysis and adaptive resource scheduling during static analysis results in inefficiencies, particularly when dealing with complex branches and numerous objects. This paper proposes WebViewJSdetect, a novel system that models the dynamic features of JavaScript through concurrent abstract interpretation and mitigates state explosion using a coverage-guided adaptive thread scheduling mechanism. In the evaluation, WebViewJSdetect successfully detects 30 JavaScript-related security vulnerabilities in a real-world Android applications dataset and achieves a 13.3% improvement in vulnerability detection rate over the best baseline approach in a labeled benchmark dataset, while also improving analysis efficiency by approximately 20% on average. [ABSTRACT FROM AUTHOR]

Copyright of Computer Networks is the property of Elsevier B.V. and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)