*Result*: A multi-party, fine-grained permission and policy enforcement framework for hybrid mobile applications.

*In hybrid mobile applications (apps), the core code of an app is in JavaScript. Any JavaScript code in a hybrid app, local or remote, can access available APIs, including JavaScript bridges provided by a hybrid development framework, to access device resources. This JavaScript inclusion capability is dangerous since there is no mechanism to determine the origin (party) of the code to control access. Moreover, any JavaScript code running in a mobile app can access the device resources through the exposed APIs. Previous solutions are either limited to a particular platform (e.g., Android) or a specific hybrid framework (e.g., Cordova) or only protect the device resources and disregard the sensitive elements in the web environment. Furthermore, most solutions require modification of the base platform. In this article, we propose a novel policy enforcement framework to enforce useful fine-grained security and privacy policies based on permission for each party in hybrid mobile apps. In contrast to the conventional permission model in mobile apps, our permission specification is platform-agnostic and context-aware. This new permission specification allows app developers to customize for different parties over single permission. We integrate our permission specification into an app at the development phase; however, by design, it allows end-users to adjust parameters at runtime to protect their privacy. Together with multi-party permission patterns, we introduce comprehensive classes of expensive fine-grained, stateful policies that developers can deploy in practice. These policy patterns can help to protect the privacy of users and can also mitigate significant types of potential attacks in hybrid apps, evidenced by our real-world evaluation. Our experimental results also demonstrate that the framework is compatible with various hybrid development frameworks over two major mobile platforms, with lightweight overhead. [ABSTRACT FROM AUTHOR]

Copyright of Journal of Computer Security is the property of Sage Publications Inc. and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)*

*Full text is not displayed to guests* *Login for full access*