I'm a beginner learning mobile appsec. I just wanted to know if there is a standard way to identify if a mobile application is native or hybrid by looking at the apk file?
1 Answer
If it uses native code, then it should have references to System.load()
or System.loadLibrary()
. But ...
It could also just execute something native with Runtime
or ProcessBuilder
, or use DexClassLoader
to load a dex/jar which then performs this. But ...
Unfortunately, this could also be worked around, since Java could use reflection to hide any of the mentioned class/method names from static analysis.
-
Thanks domen.. I remember googling about this, where I read, if the application code contains 'webView' keyword then it could be a Hybrid application?? I don't know if its really that way.. Your inputs pls... Commented Jan 11, 2017 at 11:47
-
I don't understand the question. You read that apps containing WebView load native code? There's no obvious relation. Of course if you dig deep enough, you eventually come to native code, but that holds for many things (anything with system calls at least).– domenCommented Jan 11, 2017 at 13:27
-
1I think there's a misunderstanding about the meaning of "native" here. If I interpret the OP's intent correctly, it's about an app written in "native" Java/Kotlin vs hybrid framework such as React Native, Ionic, Mobile Angular UI, jQuery Mobile, PhoneGap (which are JavaScript-based, hence some of them need WebView to work), but also Flutter and Xamarin,– Andrew T. ♦Commented Dec 25, 2021 at 18:02