Hybrid mobile apps could be ticking security time bomb

Tools

Hybrid mobile apps, which are forecast by Gartner to account for half of all mobile apps by 2016, pose significant security risks, warns ICSA Labs.

Researchers at Syracuse University have demonstrated how hybrid apps based on HTML5 are more susceptible to code injection than native apps, which could result in personal information being captured and sent to an attacker and the app spreading its malware to a victim's contacts through SMS text messaging, the security testing lab explains.

"Unlike native apps that just display the would-be malicious code, the HTML5-based app, depending on the Javascript API, executes that code. The findings were consistent across all of the HTML5 based app development frameworks tested at Syracuse," writes Jack Walsh, mobility program manager at ICSA Labs, in a blog.

"The researchers at Syracuse list some of the Javascript APIs that may be vulnerable to such attacks.  Enterprises developing HTML5 based apps should become familiar with them and carefully weigh the risk of using them in their hybrid apps," Walsh advises.

In an interview with FierceMobileIT, Walsh explains that hybrid apps are HTML5 and Javascript that are inside a container that can run across different types of mobile operating systems.

"If you are developing these hybrid apps, you have to take steps to consider which APIs you are using because in some cases the API renders [displays] the way a native app would but in some cases it also executes" code that could be malicious, Walsh says.

For more:
- check out Walsh's blog
- read the Syracuse researchers' paper [pdf]

Related Articles:
True Value tackles challenging mobile app problem
Gartner: Hybrid mobile apps well-suited for BYOD environments
Intel scoops up appMobi's HTML5 developer tools, staff