Fixing the Broken Bridge Between Mobile Apps and the Web
The Web undertook a progressive conceptual switch from a mesh of interconnected documents to an application distribution platform. In parallel, smartphones and tablets changed the way users consume Web content. With Web apps being ubiquitous, mobile platforms are introducing new mechanisms to integrate Web content: in addition to apps embedding browsers, cross-platform apps can be developed using Web frameworks with little to no app development experience. At the same time, powerful Web APIs are being developed and standardized to close the gap between the Web and native apps. The security and privacy implications of this ongoing transformation have yet to be explored. The analysis is hampered by the fast-changing nature of Web and mobile platforms and the contrasting evolution of functionalities across different OSes and browsers. Previous work mainly focused on security and privacy issues affecting either websites or mobile apps in isolation. We will develop a unified framework that will enable us to rigorously evaluate the security implications of the intersection between Web and mobile platforms---both on the standard and implementation level. We will shed light on new ways that Web and mobile apps can interact with each other and how these interactions can lead to security and privacy issues. We will further conduct large-scale empirical measurements to confirm the impact of our findings, and we will propose remediation strategies for the emerging mechanisms analyzed.