Web communication has become an indispensable characteristic of mobile apps. However, it is not clear what data the apps transmit, to whom, and what consequences such transmissions have. We analyzed the web communications found in mobile apps from the perspective of security. We first manually studied 160 Android apps to identify the commonly-used communication libraries, and to understand how they are used in these apps. We then developed a tool to statically identify web API URLs used in the apps, and restore the JSON data schemas including the type and value of each parameter. We extracted 9,714 distinct web API URLs that were used in 3,376 apps. We found that developers often use the java.net package for network communication, however, third-party libraries like OkHttp are also used in many apps. We discovered that insecure HTTP connections are seven times more prevalent in closed-source than in open-source apps, and that embedded SQL and JavaScript code is used in web communication in more than 500 different apps. This finding is devastating; it leaves billions of users and API service providers vulnerable to attack.

中文翻译：

---

从安全角度看 Android 中的 Web API

Web 通信已成为移动应用程序不可或缺的特性。但是，尚不清楚这些应用程序传输哪些数据、向谁传输以及此类传输会产生什么后果。我们从安全的角度分析了移动应用程序中发现的网络通信。我们首先手动研究了 160 个 Android 应用程序，以确定常用的通信库，并了解它们在这些应用程序中的使用方式。然后我们开发了一个工具来静态识别应用程序中使用的 Web API URL，并恢复 JSON 数据模式，包括每个参数的类型和值。我们提取了 3,376 个应用程序中使用的 9,714 个不同的 Web API URL。我们发现开发者经常使用 java.net 包进行网络通信，但是很多应用程序中也使用了 OkHttp 等第三方库。我们发现不安全的 HTTP 连接在封闭源代码应用程序中比在开源应用程序中更普遍七倍，并且嵌入式 SQL 和 JavaScript 代码在 500 多个不同应用程序的网络通信中使用。这一发现是毁灭性的。它使数十亿用户和 API 服务提供商容易受到攻击。