Demand-driven Information Flow Analysis of WebView in Android Hybrid Apps

Android hybrid apps augment native apps with web and inter-language communication capabilities. These apps facilitate the integration of web components, including JavaScript, into native apps. Besides, they allow a two-way communication where JavaScript can utilize functionality shared by the native side (Java). However, due to operational differences between Java and JavaScript, the semantics of this communication are complex. Tracking information flows via this communication channel, i.e., between these heterogeneous platforms, becomes intricate.Multiple approaches have been proposed to analyze hybrid apps. However, most of them focus on specific classes of web-induced vulnerabilities or provide rudimentary tracking of specific information flows via this communication channel. This work proposes a demand-driven analysis to comprehensively track information flow violations from the native side to JavaScript and vice-versa. To this end, our framework selectively creates data flow summaries of the shared native-side code based on its usage in the corresponding JavaScript code. We demonstrate the efficacy of our approach by applying it to various benchmarks and large-scale apps.