Will the Promise of Hybrid Mobile Apps Outweigh New Security Concerns?
June 16, 2014
By Jack Walsh

The promise and benefit of hybrid mobile apps is that they can operate on many devices from Apple to Blackberry, from Microsoft to Samsung and everything in between. Typically written in HTML5 and JavaScript, hybrid mobile apps include a native container to facilitate access to the device’s native features. Gartner forecasts that hybrid mobile apps will account for half of all mobile apps by 2016.

But are they safe?

Recent studies indicate that enterprises developing hybrid mobile apps may need to pay more attention to security and privacy concerns than those developing native mobile apps.

Researchers at Syracuse University recently presented a paper on code injection attacks in HTML5-based mobile apps at a mobile security conference in California in May.

Their research demonstrates how many HTML5-based apps that attempt to display information received from a source outside the app are susceptible to code injection.  Unlike native apps that just display the would-be malicious code, the HTML5-based app, depending on the Javascript API, executes that code. The findings were consistent across all of the HTML5 based app development frameworks tested at Syracuse.

Syracuse researchers found that an affected app could inject code with a malicious payload via a number of sources including the seven below:

  • SSID field in one or more nearby WiFi access points,
  • Bluetooth device names with which the app attempts to pair,
  • JPEG images the app attempts to render,
  • SMS messages the app attempts to display,
  • Metadata from MP3s (such as the artist and song title) and MP4s that the app attempts to display,
  • RDS fields of FM radio,
  • 2D barcodes (e.g., QR codes) the app attempts to interpret.


When the app unwittingly executes the malicious code by performing one of the above listed functions, one of two things can occur.  First, the malicious code can surreptitiously capture the victim’s sensitive information off their mobile device and exfiltrate it to an attacker. Second (and potentially worse), the app may spread its malicious payload like a worm - SMS text messaging itself to all of the user’s contacts.

The researchers at Syracuse list some of the Javascript APIs that may be vulnerable to such attacks.  Enterprises developing HTML5 based apps should become familiar with them and carefully weigh the risk of using them in their hybrid apps. 

App susceptibility to code injection is just one of the many vulnerability-related testing elements that ICSA Labs can test for in its mobile app testing program.


Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

This question is for testing whether you are a human visitor to prevent automated spam submissions.
Enter the characters shown in the image.