Hybrid apps combine the features of Web applications and “native” mobile apps. First, it provides an embedded Web browser (for example, WebView on Android) that execute the app’s Web code. Second, it supplies “bridges” that allow Web code to access internal app code. This is intrinsically dangerous and presents some security risks like CVE-2012-6336 and “App Clone Attack”. Previous work that addresses this problem provided various access control solutions.
Finally, towards solving these issues permanently, we propose a practical mitigation measure called “RichInterface“. It has been applied in our custom embedded browser — HwWebView. Our evaluation of real-world apps shows the mitigation solution is effective and scalable, with negligible overhead.