FCDroid (Frame Confusion Android) is a tool to detect automatically the Frame Confusion vulnerability in Android hybrid apps.
Frame Confusion is a vulnerability affecting hybrid applications which allows circumventing the isolation granted by the Same-Origin Policy. The detection of such vulnerability is still carried out manually by application developers, but the process is error-prone and often underestimated. In this article, we propose a sound and complete methodology to detect the Frame Confusion on Android as well as a publicly-released tool (i.e., FCDroid) which implements such methodology and allows to detect the Frame Confusion in hybrid applications, automatically. We also make public the results obtained by analyzing 50K apps using FCDroid, which have revealed that many hybrid applications suffer from Frame Confusion.
More details about FCDroid can be found in the paper "Droids in Disarray: Detecting Frame Confusion in Hybrid Android Apps"
Please use the following bibtex entry to cite our work:
@inproceedings{caputo2019droids,
title={Droids in disarray: detecting frame confusion in hybrid android apps},
author={Caputo, Davide and Verderame, Luca and Aonzo, Simone and Merlo, Alessio},
booktitle={IFIP Annual Conference on Data and Applications Security and Privacy},
pages={121--139},
year={2019},
organization={Springer}
}- Tested only on Ubuntu 18.04 and Ubuntu 20.04
- Use python 3.x
- Install virtualenv
$ pip3 install virtualenv - Download Oracle VirtualBox
- Download emulator
- Androidx86 (recommended) or Genymotion:
- Setup emulator (if needed)
- Obtain root permissions (if needed)
- emulator with nat e forward ports 5555 and 5554
- emulator with bridged adapter
- install droidbot app (download)
- Enable accessibility services
- Add adb path in PATH environment variable
- Create Virtualenv
$ virtualenv -p python3 venv- Enable Virtualenv
$ source venv/bin/activate- Install Requirements
$ pip install -r requirements- Start Emulator Manager
$ python3 emulator_manager.py- Move apps to analyze within dir_apk dir
- Start experiments
$ python3.6 hybrid_inspector.py -d "/home/User/dir_apk" -t -s "iframe"