Analysis of Android hybrid applications and other fun with WALA

--------------------------------------------------------------------------
Cybersecurity Lab Seminar Series
--------------------------------------------------------------------------

Speaker:        Dr. Julian Dolby
                IBM's Thomas J. Watson Research Center

Title:          "Analysis of Android hybrid applications and
                 other fun with WALA"

Date:           Friday, 11 November 2016

Time:           12 noon - 1:00pm

Venue:          Room 3501 (via lifts 25/26), HKUST


Abstract:

Hybrid apps help developers build multiple apps for different platforms
with less duplicated effort, by providing platform-specific functionality
via native code and user interactions via JavaScript code. However, most
hybrid apps are developed in multiple programming languages with different
semantics, complicating programming. Moreover, untrusted JavaScript code
may access device-specific features via native code, exposing hybrid apps
to attacks. Unfortunately, there are no existing tools to detect such
vulnerabilities. In this paper, we present HybriDroid, the first static
analysis framework for Android hybrid apps. First, we investigate the
semantics of interoperation of Android Java and JavaScript. Then, we
design and implement a static analysis framework that analyzes
inter-communication between Android Java and JavaScript. We demonstrate
HybriDroid with a bug detector that identifies programmer errors due to
the hybrid semantics, and a taint analyzer that finds information leaks
cross language boundaries. Our empirical evaluation shows that the tools
are practically usable in that they found previously uncovered bugs in
real-world Android hybrid apps and possible information leaks via a
widely-used advertising platform.

The bulk of this presentation will focus on ASE 2016 work on analysis of
hybrid apps (1), a blend of per-platform native code and portable
JavaScript. I will also briefly discuss two other recent projects
involving WALA: ASE 2015 work on a practically tunable static analysis
framework for large-scale JavaScript applications (2), and ISSTA 2015 work
on scalable and precise taint analysis for Android (3).


**************
Biography:

Dr. Dolby has been a Research Staff Member at IBM's Thomas J. Watson
Research Center since 2000. He works on a range of topics, including
static program analysis, software testing and the semantic web. I have
also worked on the Jikes Research Virtual Machine (Jikes RVM).His program
analysis work has recently been focused on scripting languages like
JavaScript and on security analysis of Web applications; His work has been
included in IBM products, most notably Rational AppScan products, and he
is one of the primary authors of the publicly-available Watson Libraries
for Analysis (WALA) program analysis infrastructure. His testing work has
been primarily focused on Web applications in the Apollo project, and on
finding concurrency bugs using both dynamic execution and model checking.
His semantic Web work has been on scalable inference with the SHER
project; recently, he has focused on representing RDF data efficiently in
an RDBMS.