近年來，智慧裝置變得越來越普及，而其中安卓便是目前世界上最受歡迎的手機系統，越來越多開發者使用安卓提供的Webview 物件結合網頁應用程式開發出混和型手機應用程式。由於該類型應用程式只需要開發者將預期之功能以網頁應用程式碼實作出來，再結合上述Webview 物件便可以輕鬆建構出手機應用程式發布，使得該功能越來越受開發者青睞。然而，這也導致了新型態的資訊安全風險，原先可能存在於網頁應用程式中的資訊安全漏洞也隨之影響到各類型智慧裝置。因此，Webview 物件以及手機應用程式內部連結到的網頁應用程式之安全風險不可小覷。
在本篇論文中，我們針對安卓的Webview 以及新的網頁技術HTML5，以及上述物件可能面臨的風險進行介紹。除此之外，我們提出了一個自動化系統，旨在幫助使用者以及開發者迅速檢視自己的手機應用程式是否存在上述資安風險。
我們的系統會自動反組譯二進位碼並且根據我們設立的規則快速檢視原始碼中是否含有不夠正確的用法或者是使用到了高危險性的函式，除次之外，系統也會檢視目標應用程式中連結到的網頁應用程式，並偵測是否存在資安風險，使用者可以根據我們系統的報表針對問題做修復。最後，我們證明我們的系統是有效且方便的，可以成功探測到現今安卓應用程式的Webview以及網頁應用程式安全問題。

Smart devices have become more and more common in recent years, and Android is currently the most popular mobile phone operating system in the world.
Some developers are using Webview objects provided by Android in conjunction with web applications to develop hybrid mobile applications, since this type of application
only requires the developer to implement the desired function in the web application code, and combined with the Webview object, the mobile application can be easily developed, making this function increasingly popular among developers.
However, this has also led to a new type of information security risk. Information security issues that may have existed in web applications have also affected smart devices. Therefore, the security risk of Webview objects and web applications linked to mobile applications is not to be underestimated.
In this paper, we introduce Android’s Webview and the new Web technology HTML5. In addition, we have proposed an automated system designed to help users and developers quickly check their mobile phone applications for the above risk of security. Our system will automatically decompile binary code and quickly check whether the source code contains incorrect usage or calls high-risk functions
according to the rules we set Finally, we prove that our system is effective and convenient and can successfully detect WebView and web application security issues of current Android applications.

Table of Contents ... i
List of Figures ................................................................................................ iii
List of Tables .................................................................................................. iv
Chapter 1 Introduction.............................................................................. 1
1.1 Motivation........................................................................................... 2
1.2 Contribution ....................................................................................... 2
1.3 Organization ....................................................................................... 3
Chapter 2 Background ............................................................................... 4
2.1 Android Application Development Flow............................................. 4
2.1.1 Dalvik................................................................................... 4
2.1.2 Android application package ............................................... 5
2.2 WebView............................................................................................. 5
2.2.1 WebView security issues....................................................... 6
2.3 DOM (Document Object Model) ........................................................ 7
2.4 HTML5 Techniques............................................................................. 7
2.4.1 HTML5 Improvement over HTML....................................... 7
2.4.2 Form Validation in HTML 4 ................................................ 8
2.4.3 Form Validation in HTML 5 ................................................ 9
2.5 Cross-site Scripting Methods .............................................................. 9
2.5.1 Reflected XSS....................................................................... 9
2.5.2 Stored XSS ........................................................................... 10
2.5.3 DOM-Based XSS.................................................................. 10
Chapter 3 Related Works.......................................................................... 13
3.1 Papers ................................................................................................. 13
3.2 Books and Conference talks ................................................................ 14
Chapter 4 System Design .......................................................................... 16
4.1 Goal .................................................................................................... 16
4.2 System Framework.............................................................................. 17
4.2.1 Initialization ......................................................................... 18
4.2.2 Disassemble and Decompilation ........................................... 18
4.2.3 Android security scanner...................................................... 18
4.2.4 Web page security scanner ................................................... 18
Chapter 5 Implementation ........................................................................ 20
5.1 System Requirement ........................................................................... 20
5.2 Tools ................................................................................................... 21
5.2.1 Androguard .......................................................................... 21
5.2.2 Androbug ............................................................................. 21
5.2.3 Node Crawler ....................................................................... 21
5.2.4 Arachni................................................................................. 22
5.3 System Architecture............................................................................ 22
5.3.1 Initialization ......................................................................... 22
5.3.2 Android security scanner...................................................... 23
5.3.3 Web page security scanner ................................................... 25
Chapter 6 System evaluation.................................................................... 29
6.1 Experiment Design.............................................................................. 29
6.1.1 Purpose ................................................................................ 29
6.1.2 Experiment environment and settings.................................. 30
6.1.3 Experiment process .............................................................. 30
6.1.4 Sample test set ..................................................................... 31
6.2 Example .............................................................................................. 32
6.3 Comparison ......................................................................................... 34
Chapter 7 Conclusion................................................................................. 36

[1] Android market share from statisca. https://www.statista.com/
statistics/266136/global-market-share-held-by-smartphone-operating-systems/.
[2] S. Karthick and S. Binu. Android security issues and solutions. In 2017 International
Conference on Innovative Mechanisms for Industry Applications
(ICIMIA), pages 686–689, Feb 2017.
[3] Android webview developer guide. https://developer.android.com/
reference/android/webkit/WebView.
[4] Html introduction. https://zh.wikipedia.org/wiki/HTML.
[5] Dalvik wiki page. https://en.wikipedia.org/wiki/Dalvik_(software).
[6] Art developer guide page. https://source.android.com/devices/tech/
dalvik/.
[7] Android application package. https://en.wikipedia.org/wiki/Android_
application_package.
[8] Manifest file wiki. https://en.wikipedia.org/wiki/Manifest_file.
[9] Dom w3school introduction. https://www.w3schools.com/js/js_htmldom.
asp.
[10] Html5 introduction. https://www.w3.org/TR/html/.
[11] difference between html5 and html. https://www.keycdn.com/blog/
html-vs-html5/.
[12] form validation in html w3school example. https://www.w3schools.com/Js/
js_validation.asp.
[13] Xss introduction in owasp. https://www.owasp.org/index.php/Cross-site_
Scripting_(XSS).
[14] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. Attacks on
webview in the android system. In Proceedings of the 27th Annual Computer
Security Applications Conference, pages 343–352. ACM, 2011.
[15] L. Yang, X. Cui, C. Wang, S. Guo, and X. Xu. Risk analysis of exposed methods
to javascript in hybrid apps. In 2016 IEEE Trustcom/BigDataSE/ISPA, pages
458–464, Aug 2016.
[16] P. Hazarika, Rahul Raj CP, and S. Tolety. Recommendations for webview based
mobile applications on android. In 2014 IEEE International Conference on
Advanced Communications, Control and Computing Technologies, pages 1589–
1592, May 2014.
[17] J. Yu and T. Yamauchi. Access control to prevent attacks exploiting vulnerabilities
of webview in android os. In 2013 IEEE 10th International Conference on
High Performance Computing and Communications 2013 IEEE International
Conference on Embedded and Ubiquitous Computing, pages 1628–1633, Nov
2013.
[18] AB Bhavani. Cross-site scripting attacks on android webview. arXiv preprint
arXiv:1304.7451, 2013.
[19] F. Mohsen and M. Shehab. Proposing and testing new security cue designs for
oauth-webview-embedded mobile applications. In 2017 IEEE 3rd International
Conference on Collaboration and Internet Computing (CIC), pages 443–448,
Oct 2017.
[20] Rafay Baloch. HTML5 Modern Day Attack And Defence Vectors. RHA infoSEC,
2014.
[21] 2015 blackhat eu conference androbugs-framework-anandroid-
application-security-vulnerability-scanner slide.
https://www.blackhat.com/docs/eu-15/materials/
eu-15-Lin-Androbugs-Framework-An-Android-Application-Security-Vulnerability-Scanner.
pdf.
[22] androguard github page. https://github.com/androguard/androguard.
[23] Androguard security scanner. https://github.com/AndroBugs/AndroBugs_
Framework.
[24] node crawler official page. https://github.com/bda-research/
node-crawler.
[25] Arachni web application security framework. http://www.arachni-scanner.
com.
[26] Argparse python package. https://docs.python.org/3/library/argparse.
html.
[27] Xss (cross site scripting) prevention cheat sheet. https://www.owasp.org/
index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.
[28] html5 security cheat sheet. https://html5sec.org.
[29] Sql injection wiki page. https://en.wikipedia.org/wiki/SQL_injection.
[30] facebook lite download page. https://play.google.com/store/apps/
details?id=com.facebook.lite&hl=zh_TW.
[31] Qark. https://github.com/linkedin/qark.
[32] Mobsf. https://github.com/MobSF/Mobile-Security-Framework-MobSF.