JavaScript-related vulnerabilities are becoming a major security threat to hybrid mobile applications. In this article, we present a systematic study to understand how JavaScript is used in real-world Android apps and how it may lead to security vulnerabilities. We begin by conducting an empirical study on the top-100 most popular Android apps to investigate JavaScript usage and its related security vulnerabilities. Our study identifies four categories of JavaScript usage and finds that three of these categories, if inappropriately used, can respectively lead to three types of vulnerabilities. We also design and implement an automatic tool named $\sf{ JSDroid}$JSDroid to detect JavaScript-related vulnerabilities. We have applied $\sf{ JSDroid}$JSDroid to 1,000 large real-world Android apps and found that over 70 percent of these apps have potential JavaScript-related vulnerabilities and 20 percent of them can be successfully exploited. Moreover, based on the vulnerabilities identified by $\sf{ JSDroid}$JSDroid, we have successfully launched real attacks on 30 real-world apps.

中文翻译：

---

了解大型真实世界 Android 应用程序中的 JavaScript 漏洞

JavaScript 相关漏洞正在成为混合移动应用程序的主要安全威胁。在本文中，我们进行了一项系统研究，以了解 JavaScript 在实际 Android 应用程序中的使用方式以及它如何导致安全漏洞。我们首先对前 100 名最流行的 Android 应用程序进行实证研究，以调查 JavaScript 使用情况及其相关安全漏洞。我们的研究确定了 JavaScript 使用的四类，并发现其中三类如果使用不当，会分别导致三类漏洞。我们还设计并实现了一个名为$\sf{ JSDroid}$JSDroid检测与 JavaScript 相关的漏洞。我们已经申请$\sf{ JSDroid}$JSDroid对 1,000 个大型真实世界 Android 应用程序进行分析，发现其中超过 70% 的应用程序存在与 JavaScript 相关的潜在漏洞，其中 20% 可以被成功利用。此外，基于识别出的漏洞$\sf{ JSDroid}$JSDroid，我们已经成功地对 30 个真实世界的应用程序发起了真正的攻击。