The promise and benefit of hybrid mobile apps is that they can operate on many devices from Apple to Blackberry, from Microsoft to Samsung and everything in between. Typically written in HTML5 and JavaScript, hybrid mobile apps include a native container to facilitate access to the device’s native features. Gartner forecasts that hybrid mobile apps will account for half of all mobile apps by 2016.
But are they safe?
Recent studies indicate that enterprises developing hybrid mobile apps may need to pay more attention to security and privacy concerns than those developing native mobile apps.
Researchers at Syracuse University recently presented a paper on code injection attacks in HTML5-based mobile apps at a mobile security conference in California in May.
Their research demonstrates how many HTML5-based apps that attempt to display information received from a source outside the app are susceptible to code injection. Unlike native apps that just display the would-be malicious code, the HTML5-based app, depending on the Javascript API, executes that code. The findings were consistent across all of the HTML5 based app development frameworks tested at Syracuse.
Syracuse researchers found that an affected app could inject code with a malicious payload via a number of sources including the seven below:
When the app unwittingly executes the malicious code by performing one of the above listed functions, one of two things can occur. First, the malicious code can surreptitiously capture the victim’s sensitive information off their mobile device and exfiltrate it to an attacker. Second (and potentially worse), the app may spread its malicious payload like a worm - SMS text messaging itself to all of the user’s contacts.
The researchers at Syracuse list some of the Javascript APIs that may be vulnerable to such attacks. Enterprises developing HTML5 based apps should become familiar with them and carefully weigh the risk of using them in their hybrid apps.
App susceptibility to code injection is just one of the many vulnerability-related testing elements that ICSA Labs can test for in its mobile app testing program.
Comments
Post new comment