Detecting injected behaviors in HTML5-based Android applications

HTML5-based mobile applications (or apps) are built by using standard web technologies such as HTML5, JavaScript and CSS. Due to their cross-platform support, HTML5-based mobile apps are getting more and more popular. However, similar to traditional web apps, they are often vulnerable to script-injection attacks. It results in new threats to code integrity and data privacy. Compared to traditional web apps, HTML5-based mobile apps have more possible channels to inject code, e.g., contacts, SMS, files, NFC, and cameras. Even worse, the injected scripts may gain much more powerful privileges from the mobile apps than those in the traditional web apps. In this paper, we propose an approach to detect injected behaviors in HTML5-based Android apps. Our approach monitors the execution of apps, and generates behavior state machines to describe the apps' runtime behaviors based on the execution contexts of apps. Once code injection happens, the injected behaviors will be detected based on deviation from the behavior state machine of the original app. We prototyped our approach and evaluated its effectiveness using existing code injection examples. The result demonstrates that the proposed method is effective in code injection detection for real-world HTML5-based Android apps.