Why businesses should use caution with HTML5-based mobile apps

University researchers have found that HTML5-based mobile apps, which are expected to become more prevalent over the next several years, could add security risks for businesses.

Through developer error, the Web technology could automatically execute malicious code sent by an attacker via Wi-Fi, Bluetooth or a text message, researchers at Syracuse University reported last month at the Mobile Security Technologies Conference in San Jose, Calif.

[Even Apple and Google can't protect users from inherent mobile app risks]

"The malicious code can surreptitiously capture the victim's sensitive information off their mobile device and ex-filtrate it to an attacker," Jack Walsh, a mobile security expert at ICSA Labs, said Monday in a blog post on the research. "Second, and potentially worse, the app may spread its malicious payload like a worm -- SMS text messaging itself to all of the user's contacts."

Security weaknesses introduced in HTML5-based apps could become a bigger problem as their use grows. Because of the cross-platform nature of the Web technology, it is expected to be in more than half of all mobile apps by 2016, according to Gartner.

Developers introduce the vulnerability by using the wrong application programming interface (API) that allows the app to send code to the JavaScript engine for execution, the researchers said. In studying the problem, they found two HTML5-based apps in production that were vulnerable to attack.

Choosing the correct API is critical because the apps, which are a combination of the latest HTML standard, cascading style sheets (CSS) and JavaScript, allow for data and code to be mixed together.

If the developers just want to process data, but use the wrong APIs, the code in the mixture can be automatically executed, the researchers said.

"If such a data-and-code mixture comes from an untrustworthy place, malicious code can be injected and executed inside the app," the researchers said.

The risk of developer error is not unique to HTML5 apps.

"An HTML5-based app is no different from a web-based application and the same security measures should apply to both," Bogdan Botezatu, senior e-threat analyst for Bitdefender, said.

Ways in which an attacker could send a malicious code-data string to an HTML5 app include an SSID field sent over a Wi-Fi access point, a QR code, JPEG image or as metadata within an MP3 music file. The SSID, or service set identifier, is used in connecting devices to a network.

Other places malicious code could be hidden are in an SMS message displayed by the app. The code could also be sent from an infected device via Bluetooth if the app attempts a pairing.

In order for HTML5-based apps to be cross-platform, they require a middleware framework that lets them connect to the underlying system resources, such as files, device sensors and the camera.

Google Android, Apple iOS and Windows Phone have different containers that apps use for accessing services, so developers let the framework creators handle the plumbing underneath the Web app.

Examples of frameworks include PhoneGap, RhoMobile and Appcelerator. The researchers studied 186 PhoneGap plugins and found 11 that were vulnerable to the code-injection attack.

[Security analysis of mobile banking apps reveals significant weaknesses]

While the researchers only used PhoneGap and Android for their work, the same problems were applicable across operating systems.

"Since apps are portable across platforms, so are their vulnerabilities," the researchers said. "Therefore, our attacks also work on other platforms."

Join the CSO newsletter!

Error: Please check your email address.

Tags Syracuse UniversityapplicationsICSbecasoftwarehtml codecross-site scripting attackjavascriptdata protectionmobile application securityAppleGartnerGoogle

More about AppleAustralian Pharmaceutical IndustriesGartnerGoogleICSAQR

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place