Gartner forecasts that HTML5 will be used in half of all mobile apps by 2016, but some say HTML5 apps are more susceptible to code injection attacks. Is this a cause for concern?
Step 2 of 2:
HTML5 is supported by all major mobile devices, making it an obvious choice for creating and deploying apps across multiple platforms and devices. It simplifies development and maintenance as the same code base can be used across all platforms, and it also removes the need for vulnerable multimedia plugins and apps like Adobe Flash. Gartner predicts hybrid mobile apps that make use of HTML5 will account for half of all mobile apps by 2016.
Unlike native apps that display would-be malicious code as plaintext, an HTML5-based app may well execute it. If it doesn’t safely handle data received from an external channel before handing it to the framework for processing (such as rendering a JPEG image or displaying an SMS message), a hacker could inject malicious code into the mobile device, access data on the device or launch attacks against other devices (for example by SMS text messaging itself to everyone in the device’s contact list). There are a number of ways a hacker could send malicious code to a vulnerable app including an SSID used in connecting devices to a network: a QR code, SMS message, JPEG image or as metadata within an MP3 music file. Although the researchers concentrated on PhoneGap and Android, the same problems are applicable to other operating systems; apps are portable across platforms and so are their vulnerabilities.
To prevent these attacks, developers need to ensure all data and inputs from untrusted sources are validated and sanitized on the principle of accepting only what is explicitly allowed and discarding all other input. In addition, administrators need to restrict an app’s permissions until it has been fully risk assessed.
The risk of developer error and poor coding is not unique to HTML5 apps, but enterprises creating their own apps may want to restrict developers to coding only native mobile apps which are currently immune to these sorts of attacks. If HTML5-based apps are considered the best option, then ensure developers are trained how to code securely, and kept abreast of the latest attacks that use HTLM5 as an attack vector. Those using a mobile enterprise application platform suite to develop and deliver to multiple platforms, or those who are beginning to port native apps to HTML5 should review the new code to ensure APIs are used correctly and data is sanitized appropriately. An HTML5-based app is no different from a Web-based application; during development the same security checks should apply, particularly as mobile apps tend to run with a wide range of permissions like access to contact lists.
Network administrators need to be aware that cybercriminals may start taking advantage of HTML5-based mobile apps to launch attacks, and therefore keep intrusion detection system filters up to date with signatures for any newly discovered attacks. IT teams should also risk assess any apps that will be used on devices connecting to the enterprise network.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)