{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:54Z","timestamp":1777806114568,"version":"3.51.4"},"reference-count":92,"publisher":"SAGE Publications","issue":"3","license":[{"start":{"date-parts":[[2020,3,9]],"date-time":"2020-03-09T00:00:00Z","timestamp":1583712000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2020,4,21]]},"abstract":"<jats:p>In hybrid mobile applications (apps), the core code of an app is in JavaScript. Any JavaScript code in a hybrid app, local or remote, can access available APIs, including JavaScript bridges provided by a hybrid development framework, to access device resources. This JavaScript inclusion capability is dangerous since there is no mechanism to determine the origin (party) of the code to control access. Moreover, any JavaScript code running in a mobile app can access the device resources through the exposed APIs. Previous solutions are either limited to a particular platform (e.g., Android) or a specific hybrid framework (e.g., Cordova) or only protect the device resources and disregard the sensitive elements in the web environment. Furthermore, most solutions require modification of the base platform.<\/jats:p>\n                  <jats:p>In this article, we propose a novel policy enforcement framework to enforce useful fine-grained security and privacy policies based on permission for each party in hybrid mobile apps. In contrast to the conventional permission model in mobile apps, our permission specification is platform-agnostic and context-aware. This new permission specification allows app developers to customize for different parties over single permission. We integrate our permission specification into an app at the development phase; however, by design, it allows end-users to adjust parameters at runtime to protect their privacy. Together with multi-party permission patterns, we introduce comprehensive classes of expensive fine-grained, stateful policies that developers can deploy in practice. These policy patterns can help to protect the privacy of users and can also mitigate significant types of potential attacks in hybrid apps, evidenced by our real-world evaluation. Our experimental results also demonstrate that the framework is compatible with various hybrid development frameworks over two major mobile platforms, with lightweight overhead.<\/jats:p>","DOI":"10.3233\/jcs-191350","type":"journal-article","created":{"date-parts":[[2020,3,10]],"date-time":"2020-03-10T14:53:40Z","timestamp":1583852020000},"page":"375-404","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":1,"title":["A multi-party, fine-grained permission and policy enforcement framework for hybrid mobile applications"],"prefix":"10.1177","volume":"28","author":[{"given":"Phu H.","family":"Phung","sequence":"first","affiliation":[{"name":"Intelligent Systems Security Lab, Department of Computer Science, University of Dayton, Dayton, OH, USA. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Rakesh S.V.","family":"Reddy","sequence":"additional","affiliation":[{"name":"Intelligent Systems Security Lab, Department of Computer Science, University of Dayton, Dayton, OH, USA. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Steven","family":"Cap","sequence":"additional","affiliation":[{"name":"Intelligent Systems Security Lab, Department of Computer Science, University of Dayton, Dayton, OH, USA. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Anthony","family":"Pierce","sequence":"additional","affiliation":[{"name":"Intelligent Systems Security Lab, Department of Computer Science, University of Dayton, Dayton, OH, USA. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Abhinav","family":"Mohanty","sequence":"additional","affiliation":[{"name":"Department of Software and Information Systems, University of North Carolina at Charlotte, Charlotte, NC, USA. E-mails:\u00a0,\u00a0"}]},{"given":"Meera","family":"Sridhar","sequence":"additional","affiliation":[{"name":"Department of Software and Information Systems, University of North Carolina at Charlotte, Charlotte, NC, USA. E-mails:\u00a0,\u00a0"}]}],"member":"179","published-online":{"date-parts":[[2020,3,9]]},"reference":[{"key":"ref001","unstructured":"Adobe Inc., Adobe PhoneGap, Online: https:\/\/phonegap.com\/, accessed on 12\/31\/2019."},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"P.\u00a0Agten, S.V.\u00a0Acker, Y.\u00a0Brondsema, P.H.\u00a0Phung, L.\u00a0Desmet and F.\u00a0Piessens, JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications, in: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), 2012, pp.\u00a01\u201310.","DOI":"10.1145\/2420950.2420952"},{"key":"ref003","doi-asserted-by":"publisher","DOI":"10.1016\/j.scico.2008.09.004"},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"M.\u00a0Ali and A.\u00a0Mesbah, Mining and characterizing hybrid apps, in: Proceedings of the International Workshop on App Market Analytics, WAMA 2016, 2016, pp.\u00a050\u201356.","DOI":"10.1145\/2993259.2993263"},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"A.\u00a0AlJarrah and M.\u00a0Shehab, The demon is in the configuration: Revisiting hybrid mobile apps configuration model, in: Proceedings of the 12th International Conference on Availability, Reliability and Security, ARES\u201917, 2017, pp.\u00a057:1\u201357:10.","DOI":"10.1145\/3098954.3105825"},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"A.\u00a0AlJarrah and M.\u00a0Shehab, CordovaConfig: A tool for mobile hybrid apps\u2019 configuration, in: Proceedings of the 17th International Conference on Mobile and Ubiquitous Multimedia, MUM 2018, 2018, pp.\u00a0161\u2013170.","DOI":"10.1145\/3282894.3282931"},{"key":"ref007","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-12385-7_69"},{"key":"ref008","unstructured":"Android Developers, Permissions Overview, 2018, Latest update: August, 2018."},{"key":"ref009","unstructured":"Apache Cordova, Architectural overview of Cordova platform, 2018, Online: https:\/\/cordova.apache.org\/docs\/en\/latest\/guide\/overview\/index.html, version 9.x, accessed on 12\/30\/2019."},{"key":"ref010","unstructured":"Apache Software Foundation, Whitelist Guide, https:\/\/cordova.apache.org\/docs\/en\/latest\/guide\/appdev\/whitelist\/ Version 8.x. Accessed: August, 2018."},{"key":"ref011","unstructured":"Apache Software Foundation, Cordova \u2013 Security Guide, 2019, https:\/\/cordova.apache.org\/docs\/en\/latest\/guide\/appdev\/security\/. Version: 9.x (latest). Accessed: August, 2019."},{"key":"ref012","unstructured":"Apple Developer, Requesting Permission, 2018, Accessed: August, 2018."},{"key":"ref013","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-36742-7_39"},{"key":"ref014","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2018.2855650"},{"key":"ref015","unstructured":"A.\u00a0Barth, The Web Origin Concept, https:\/\/tools.ietf.org\/html\/rfc6454."},{"key":"ref016","doi-asserted-by":"publisher","DOI":"10.1145\/3241739"},{"key":"ref017","doi-asserted-by":"crossref","unstructured":"A.\u00a0Bi\u00f8rn-Hansen, T.M.\u00a0Gr\u00f8nli, G.\u00a0Ghinea and S.\u00a0Alouneh, An empirical study of cross-platform mobile development in industry, Wireless Communications and Mobile Computing 2019 (2019).","DOI":"10.1155\/2019\/5743892"},{"key":"ref018","unstructured":"S.\u00a0Bugiel, S.\u00a0Heuser and A.R.\u00a0Sadeghi, Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies, in: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), 2013, pp.\u00a0131\u2013146."},{"key":"ref019","unstructured":"S.\u00a0Butner, How Much in Advertising Revenue Can a Mobile App Generate? http:\/\/smallbusiness.chron.com\/much-advertising-revenue-can-mobile-app-generate-76855.html."},{"key":"ref020","unstructured":"M.\u00a0Butusov, Native vs Hybrid apps. What to choose in 2019? 2019, Online: https:\/\/blog.techmagic.co\/native-vs-hybrid-apps\/, retrieved on 5\/15\/2019."},{"key":"ref021","unstructured":"M.\u00a0Casimirri, Mobile Angular UI, Online: https:\/\/github.com\/mcasimir\/mobile-angular-ui, accessed on 12\/31\/2019."},{"key":"ref022","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Chen, H.\u00a0Lee, A.B.\u00a0Jeng and T.\u00a0Wei, DroidCIA: A novel detection method of code injection attacks on HTML5-based mobile apps, in: Proceedings of the 14th Trust, Security and Privacy in Computing and Communications (TRUSTCOM), Vol.\u00a001, 2015, pp.\u00a01014\u20131021.","DOI":"10.1109\/Trustcom.2015.477"},{"key":"ref023","unstructured":"Facebook Inc., React \u2013 A JavaScript library for building user interfaces, https:\/\/facebook.github.io\/react\/."},{"key":"ref024","unstructured":"D.\u00a0Franzen and D.\u00a0Aspinall, PhoneWrap-injecting the \u201chow often\u201d into mobile apps, in: The 1st International Workshop on Innovations in Mobile Privacy and Security (IMPS), 2011, pp.\u00a011\u201319."},{"key":"ref025","doi-asserted-by":"crossref","unstructured":"M.\u00a0Georgiev, S.\u00a0Jana and V.\u00a0Shmatikov, Breaking and fixing origin-based access control in hybrid web\/mobile application frameworks, in: Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS), 2014.","DOI":"10.14722\/ndss.2014.23323"},{"key":"ref026","doi-asserted-by":"publisher","DOI":"10.1145\/2736277.2741663"},{"key":"ref027","unstructured":"D.\u00a0Goodin, Millions exposed to malvertising that hid attack code in banner pixels, 2016, http:\/\/arstechnica.com\/security\/2016\/12\/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels\/."},{"key":"ref028","unstructured":"Google Inc., Android NDK Native APIs, https:\/\/developer.android.com\/ndk\/guides\/stable_apis.html."},{"key":"ref029","doi-asserted-by":"crossref","unstructured":"H.\u00a0Heitk\u00f6tter, S.\u00a0Hanschke and T.A.\u00a0Majchrzak, Evaluating cross-platform development approaches for mobile applications, in: International Conference on Web Information Systems and Technologies, Springer, 2012, pp.\u00a0120\u2013138.","DOI":"10.1007\/978-3-642-36608-6_8"},{"key":"ref030","unstructured":"A.\u00a0Hern, Spotify hit by \u2018malvertising\u2019 in app, 2016, http:\/\/bit.ly\/spotify-malvertising."},{"key":"ref031","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-018-9617-6"},{"key":"ref032","unstructured":"Idera Inc., Sencha Touch, 2019, Online: https:\/\/www.sencha.com\/products\/touch\/, accessed on 12\/31\/2019."},{"key":"ref033","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Imamura, H.\u00a0Uekawa, Y.\u00a0Ishihara, M.\u00a0Sato and T.\u00a0Yamauchi, Web access monitoring mechanism for Android webview, in: Proceedings of the Australasian Computer Science Week Multiconference, ACM, 2018, p.\u00a01.","DOI":"10.1145\/3167918.3167942"},{"key":"ref034","unstructured":"Integral Ad Science, Inc., Effectively influence consumers everywhere, 2016, https:\/\/integralads.com\/."},{"key":"ref035","unstructured":"Intel Software, Intel XDK Release Notes, 2017, Online: https:\/\/software.intel.com\/en-us\/xdk\/docs\/release-notes-information-intel-xdk, accessed on 12\/31\/2019."},{"key":"ref036","doi-asserted-by":"crossref","unstructured":"X.\u00a0Jin, X.\u00a0Hu, K.\u00a0Ying, W.\u00a0Du, H.\u00a0Yin and G.N.\u00a0Peri, Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation, in: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2014, pp.\u00a066\u201377.","DOI":"10.1145\/2660267.2660275"},{"key":"ref037","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-27659-5_22"},{"key":"ref038","unstructured":"V.\u00a0Kharlampidi, Framework7 \u2013 Full Featured Framework For Building iOS, Android & Desktop Apps, Online: https:\/\/framework7.io\/, accessed on 12\/31\/2019."},{"key":"ref039","unstructured":"J.\u00a0Kirk, Massive Malvertising Campaign Hits MSN, Yahoo, 2016, http:\/\/bit.ly\/mal-ads-msn."},{"key":"ref040","first-page":"396","volume":"26","author":"Kudo N.","year":"2018","journal-title":"JIP"},{"key":"ref041","doi-asserted-by":"publisher","DOI":"10.1109\/ICSTW.2018.00032"},{"key":"ref042","doi-asserted-by":"crossref","unstructured":"S.\u00a0Lee, J.\u00a0Dolby and S.\u00a0Ryu, HybriDroid: Static analysis framework for Android hybrid applications, in: Proceedings of the 31st IEEE\/ACM International Conference on Automated Software Engineering (ASE), 2016, pp.\u00a0250\u2013261.","DOI":"10.1145\/2970276.2970368"},{"key":"ref043","doi-asserted-by":"publisher","DOI":"10.1080\/07380569.2019.1601957"},{"key":"ref044","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04434-2_23"},{"key":"ref045","unstructured":"J.\u00a0Looper, What is a WebView? 2015, http:\/\/developer.telerik.com\/featured\/what-is-a-webview\/."},{"key":"ref046","unstructured":"M.T.\u00a0Louw, K.T.\u00a0Ganesh and V.N.\u00a0Venkatakrishnan, AdJail: Practical enforcement of confidentiality and integrity policies on web advertisements, in: Proceedings of USENIX Security\u201910, USENIX Association, Berkeley, CA, USA, 2010, pp.\u00a024\u201341. ISBN 888-7-6666-5555-4. http:\/\/dl.acm.org\/citation.cfm?id=1929820.1929852."},{"key":"ref047","doi-asserted-by":"crossref","unstructured":"M.T.\u00a0Louw, P.H.\u00a0Phung, R.\u00a0Krishnamurti and V.N.\u00a0Venkatakrishnan, SafeScript: JavaScript transformation for policy enforcement, in: Proceedings of the 18th Nordic Conference on Secure IT Systems (NordSec 2013), 2013, pp.\u00a067\u201383.","DOI":"10.1007\/978-3-642-41488-6_5"},{"key":"ref048","doi-asserted-by":"crossref","unstructured":"J.\u00a0Magazinius, P.H.\u00a0Phung and D.\u00a0Sands, Safe wrappers and sane policies for self protecting JavaScript, in: Proceedings of the 15th Nordic Conference in Secure IT Systems (NordSec), 2010, pp.\u00a0239\u2013255.","DOI":"10.1007\/978-3-642-27937-9_17"},{"key":"ref049","unstructured":"A.\u00a0Manchanda, Where Do Cross-Platform App Frameworks Stand in 2020? 2019, Online: https:\/\/www.netsolutions.com\/insights\/cross-platform-app-frameworks-in-2019\/, accessed on 12\/30\/2019."},{"key":"ref050","doi-asserted-by":"publisher","DOI":"10.3233\/JHS-160538"},{"key":"ref051","doi-asserted-by":"publisher","DOI":"10.3233\/JHS-160534"},{"key":"ref052","unstructured":"B.S.\u00a0Max\u00a0Lynch and A.\u00a0Bradle, Ionic Framework, Online: https:\/\/ionicframework.com\/, accessed on 12\/31\/2019."},{"key":"ref053","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.36"},{"key":"ref054","unstructured":"Microsoft Corp., Visual Studio Tools for Xamarin\u00a0\u2013 Deliver native Android, iOS, and Windows apps with a single shared .NET code base, Online: https:\/\/visualstudio.microsoft.com\/xamarin\/, accessed on 12\/31\/2019."},{"key":"ref055","unstructured":"Microsoft Development Network (MSDN), Cordova whitelist and Content Security Policy guide, https:\/\/taco.visualstudio.com\/en-us\/docs\/cordova-security-whitlists\/#the-w3c-content-security-policy-csp."},{"key":"ref056","unstructured":"Microsoft Development Network (MSDN), Cordova whitelist and Content Security Policy guide, https:\/\/taco.visualstudio.com\/en-us\/docs\/cordova-security-whitlists\/#the-w3c-content-security-policy-csp."},{"key":"ref057","unstructured":"Mozilla Development Network, Content-Security-Policy, https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Content-Security-Policy."},{"key":"ref058","doi-asserted-by":"crossref","unstructured":"M.\u00a0Musch, M.\u00a0Steffens, S.\u00a0Roth, B.\u00a0Stock and M.\u00a0Johns, ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices (2019).","DOI":"10.1145\/3321705.3329841"},{"key":"ref059","unstructured":"P.\u00a0Mutchler, A.\u00a0Doup\u00e9, J.\u00a0Mitchell, C.\u00a0Kruegel and G.\u00a0Vigna, A large-scale study of mobile web app security, in: Proceedings of the Mobile Security Technologies Workshop (MoST), 2015."},{"key":"ref060","doi-asserted-by":"crossref","unstructured":"K.\u00a0Nakhaei, E.\u00a0Ansari and F.\u00a0Ansari, JSSignature: Eliminating Third-Party-Hosted JavaScript Infection Threats Using Digital Signatures, arXiv preprint arXiv:1812.03939 (2018).","DOI":"10.1007\/s42452-019-1805-5"},{"key":"ref061","doi-asserted-by":"crossref","unstructured":"M.\u00a0Nauman, S.\u00a0Khan and X.\u00a0Zhang, Apex: Extending Android permission model and enforcement with user-defined runtime constraints, in: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ACM, 2010, pp.\u00a0328\u2013332.","DOI":"10.1145\/1755688.1755732"},{"key":"ref062","doi-asserted-by":"publisher","DOI":"10.1002\/sec.360"},{"key":"ref063","unstructured":"Onsen UI, Online: https:\/\/onsen.io\/v2\/guide\/, accessed on 12\/31\/2019."},{"key":"ref064","unstructured":"OWASP, Clickjacking, https:\/\/www.owasp.org\/index.php\/Clickjacking."},{"key":"ref065","unstructured":"P.\u00a0Peranzo, App Development Decisions: Native App Vs Web App Vs Hybrid? 2018, Online: https:\/\/www.imaginovation.net\/blog\/app-development-decisions-native-web-or-hybrid\/, retrieved on 5\/15\/2019."},{"key":"ref066","doi-asserted-by":"crossref","unstructured":"P.H.\u00a0Phung and L.\u00a0Desmet, A two-tier sandbox architecture for untrusted JavaScript, in: Proceedings of the Workshop on JavaScript Tools (JSTools), 2012, pp.\u00a01\u201310.","DOI":"10.1145\/2307720.2307721"},{"key":"ref067","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2017.34"},{"key":"ref068","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2014.2355847"},{"key":"ref069","doi-asserted-by":"crossref","unstructured":"P.H.\u00a0Phung, D.\u00a0Sands and A.\u00a0Chudnov, Lightweight self-protecting JavaScript, in: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS), 2009, pp.\u00a047\u201360.","DOI":"10.1145\/1533057.1533067"},{"key":"ref070","doi-asserted-by":"crossref","unstructured":"S.\u00a0Pooryousef and M.\u00a0Amini, Fine-grained access control for hybrid mobile applications in Android using restricted paths, in: Proceedings of the 13th International ISC Conference on Information Security and Cryptology (ISCISC), 2016.","DOI":"10.1109\/ISCISC.2016.7736456"},{"key":"ref071","doi-asserted-by":"crossref","unstructured":"S.\u00a0Pouryousef, M.\u00a0Rezaiee and A.\u00a0Chizari, Let me join two worlds! Analyzing the integration of web and native technologies in hybrid mobile apps, in: 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\/ 12th IEEE International Conference on Big Data Science and Engineering (TrustCom\/BigDataSE), 2018, pp.\u00a01814\u20131819.","DOI":"10.1109\/TrustCom\/BigDataSE.2018.00274"},{"key":"ref072","unstructured":"Progress Software, NativeScript: Create Native iOS and Android Apps with JavaScript, Online: https:\/\/www.nativescript.org\/, accessed on 12\/31\/2019."},{"key":"ref073","unstructured":"Y.\u00a0Qiu, Tapjacking: An Untapped Threat in Android, https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/tapjacking-an-untapped-threat-in-android\/. Accessed on 01-09-2012."},{"key":"ref074","doi-asserted-by":"publisher","DOI":"10.1145\/1281480.1281481"},{"key":"ref075","unstructured":"M.\u00a0Rouse, Malvertisement (malicious advertisement or malvertising), 2011, http:\/\/searchsecurity.techtarget.com\/definition\/malvertisement-malicious-advertisement-or-malvertising."},{"key":"ref076","doi-asserted-by":"crossref","unstructured":"M.\u00a0Shehab and A.\u00a0AlJarrah, Reducing attack surface on Cordova-based hybrid mobile apps, in: Proceedings of the 2nd International Workshop on Mobile Development Lifecycle (MobileDeli), 2014, pp.\u00a01\u20138.","DOI":"10.1145\/2688412.2688417"},{"key":"ref077","doi-asserted-by":"crossref","unstructured":"K.\u00a0Singh, Practical context-aware permission control for hybrid mobile applications, in: Proceedings of the 16th International Workshop on Recent Advances in Intrusion Detection (RAID), 2013, pp.\u00a0307\u2013327.","DOI":"10.1007\/978-3-642-41284-4_16"},{"key":"ref078","unstructured":"Stack Overflow, Developer Survey 2019, Online: https:\/\/insights.stackoverflow.com\/survey\/2019, accessed on 12\/30\/2019."},{"key":"ref079","unstructured":"The jQuery Foundation, jQuery Mobile \u2013 A Touch-Optimized Web Framework, 2019, Online: https:\/\/jquerymobile.com\/, accessed on 12\/31\/2019."},{"key":"ref080","doi-asserted-by":"crossref","unstructured":"A.\u00a0Tiwari, J.\u00a0Prakash, S.\u00a0Gro\u00df and C.\u00a0Hammer, LUDroid: A large scale analysis of Android\u2013Web hybridization, in: 2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM), IEEE, pp.\u00a0256\u2013267.","DOI":"10.1109\/SCAM.2019.00036"},{"key":"ref081","unstructured":"TouchstoneJS \u2013 JS \u2013 Creating Your Visual Interaction, Online: https:\/\/touchstonejs.io\/, accessed on 12\/31\/2019."},{"key":"ref082","doi-asserted-by":"crossref","unstructured":"T.\u00a0Tran, R.\u00a0Pelizzi and R.\u00a0Sekar, JaTE: Transparent and efficient JavaScript confinement, in: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, 2015, pp.\u00a0151\u2013160. ISBN 978-1-4503-3682-6.","DOI":"10.1145\/2818000.2818019"},{"key":"ref083","doi-asserted-by":"crossref","unstructured":"G.S.\u00a0Tuncay, S.\u00a0Demetriou and C.A.\u00a0Gunter, Draco: A system for uniform and fine-grained access control for web code on Android, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016, pp.\u00a0104\u2013115. ISBN 978-1-4503-4139-4.","DOI":"10.1145\/2976749.2978322"},{"key":"ref084","doi-asserted-by":"crossref","unstructured":"S.\u00a0Van\u00a0Acker, P.\u00a0De\u00a0Ryck, L.\u00a0Desmet, F.\u00a0Piessens and W.\u00a0Joosen, WebJail: Least-privilege integration of third-party components in web mashups, in: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC\u201911, 2011, pp.\u00a0307\u2013316. ISBN 978-1-4503-0672-0.","DOI":"10.1145\/2076732.2076775"},{"key":"ref085","doi-asserted-by":"crossref","unstructured":"N.\u00a0van Ginkel, W.\u00a0De\u00a0Groef, F.\u00a0Massacci and F.\u00a0Piessens, A server-side JavaScript security architecture for secure integration of third-party libraries, Security and Communication Networks 2019 (2019).","DOI":"10.1155\/2019\/9629034"},{"key":"ref086","unstructured":"Wikipedia Contributors, Mobile development framework\u00a0\u2013 Wikipedia, The Free Encyclopedia, 2019, Online: https:\/\/en.wikipedia.org\/w\/index.php?title=Mobile_development_framework&oldid=933163995, accessed on 12\/30\/2019."},{"key":"ref087","doi-asserted-by":"crossref","unstructured":"M.\u00a0Willocx, J.\u00a0Vossaert and V.\u00a0Naessens, Security analysis of cordova applications in Google play, in: Proceedings of the 12th International Conference on Availability, Reliability and Security, ARES\u201917, 2017, pp.\u00a046:1\u201346:7.","DOI":"10.1145\/3098954.3103162"},{"key":"ref088","doi-asserted-by":"crossref","unstructured":"X.\u00a0Xiao, R.\u00a0Yan, R.\u00a0Ye, Q.\u00a0Li, S.\u00a0Peng and Y.\u00a0Jiang, Detection and prevention of code injection attacks on HTML5-based apps, in: Proceedings of the 3rd International Conference on Advanced Cloud and Big Data (CBD), 2015, pp.\u00a0254\u2013261.","DOI":"10.1109\/CBD.2015.48"},{"key":"ref089","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2017.11.001"},{"key":"ref090","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00043"},{"key":"ref091","doi-asserted-by":"crossref","unstructured":"G.\u00a0Yang, A.\u00a0Mendoza, J.\u00a0Zhang and G.\u00a0Gu, Precisely and scalably vetting JavaScript bridge in Android hybrid apps, in: RAID, 2017.","DOI":"10.1007\/978-3-319-66332-6_7"},{"key":"ref092","unstructured":"W.\u00a0Zamora, Truth in malvertising: How to beat bad ads, 2017, http:\/\/bit.ly\/how-to-beat-bad-ads."}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191350","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191350","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191350","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:23Z","timestamp":1777495523000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191350"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,3,9]]},"references-count":92,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2020,4,21]]}},"alternative-id":["10.3233\/JCS-191350"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191350","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,3,9]]}}}