Application Security Issues for HTML5-based Mobile Apps
HTML is no longer restricted to just websites. With its latest edition, HTML5, the markup language family has now become a popular choice for mobile applications. After gathering the relevant data and researching, Gartner predicted two things; firstly, HTML5 would be the most commonly used language for mobile applications in 2015 and secondly, HTML5-based hybrid mobile app using technologies such as PhoneGap, Codova or React Native reach up to be 50% of all mobile apps 2016.
This is becoming more relevant to enterprises, a seen in below figures from Gartner. Hybrid and web apps account for 60% of total consumer apps and a whopping 90% of total enterprise mobile apps.
Gartner's table comparing Consumer/Enterprise Mobile Apps in 2015
As large enterprises go mobile, they want to develop their portfolios of mobile apps to support a large number of functional tasks from various departments and business units. For this reason, HTML5 becomes more appealing to enterprises economically, according to Apperian, a Mobile App Management Company. 
HTML5 offers many advantages for building and deploying enterprise mobile apps in terms of cross-platform support, speed of development and ease of maintenance.
However, HTML5-based applications are not without downside and sometimes can be a source of inconvenience for mobile app developers.
- App developers are restricted on what they can do while working with development frameworks like PhoneGap. For example, they have to use bridges to access native features.
- Rendering HTML and CSS may take longer than rendering native components.
- New versions of Android usually introduce new components (nicer datepickers, transition effects etc.) which don’t apply to HTML5-based apps. You need to “emulate” them which relatively take more time.
Mobile application security issue and what does this mean for enterprises?
As mentioned above, hybrid and web app account for 90% of total enterprise mobile apps. Half of mobile apps will use HTML5 which expands the attack surface of application backend servers.
Various studies and researchers found that HTML5 have a lot of security vulnerabilities which can be exploited to perform code injection attacks. Under the exploits, attackers “inject malicious code into a mobile device, hackers can only access data on the target device, but also use it to launch attacks on other devices.”  According to Jaykishan Panchal, “The malicious code can capture sensitive information and expose the victim’s mobile device to an attacker.” “Worse, the malicious code can spread and cause the app to carry out undesired tasks such as sending SMS text messages.” 
Application security issues inside HTML5 are often related to app developers making mistakes in the programming. But this should not surprise anybody, because obviously mobile app developers are not experts in security and thus have limited knowledge of mobile app security.
HTML5 gives developers more functionality, but at the same time introduces more vulnerability, for example, cross-site-scripting (XSS)  or other application attacks. When users allows other mobile apps to access locally stored data like photos, locations, contacts, they of course don’t know if these apps are malicious. Therefore, it is up to app developers to write code that prevent such intrusions and attacks from other apps in future, if such a situation arises. It’s also necessary to have a solution that can protect locally stored data of the mobile app from outside access. For example, TeskaLabs’ SeaCat SDK can protect cross-access from other malicious apps, in the case if the vulnerability already exists inside the protected app.
For more information, read this article by George Lawton, TechTarget, to understand “why HTML5 security needs to be at the forefront of architects' minds." 
HTML5 is not entirely to blame as mobile operating systems are vulnerable in general. Mobile is a fast growing segment, and mobile app development goes much faster than security. Everyone focuses on new functionalities and user experience rather than on security; security is just another burden.
Use this HTML5 security cheat sheet  as a guide to implement HTML 5 in a secure way.
Syracuse University’s researchers recommend to find solution in the following three approaches to XSS: 1) Sanitization, which is filtering the code mixed with data; 2) Mitigation or restricting the permissions for untrusted code and 3) Tainting or tagging inputs from any unreliable sources and not allowing them to run. (via SitePoint)
This solution has to be done on endpoint devices, inside the operating system or the application. The operating system must force untrusted program to stop or limit resources for this kind of code.
Realistically speaking mobile app developers are not expected to know everything about security measure, but in order to tackle this problem they need to collaborate with security experts during the design and development of the mobile application to write secure code and reduce/prevent flaws in programming and prevent this to happen in the future.
How SeaCat Mobile Secure Gateway helps your enterprise operate mobile applications securely?
SHIELD YOUR MOBILE APPLICATION BACKEND FROM DIRECT EXPOSURE TO THE INTERNET AND REDUCE THE ATTACK SURFACE OF THE APPLICATION’S BACKEND SERVERS
There is no absolute and perfect mobile app security solution. The goal is to make it harder and more costly for attackers to conduct attacks.
Teskalabs’ SeaCat Mobile Secure Gateway operates on the application layer, but remains invisible for the actual mobile application. It indisputably authenticates every client connection and logs illegitimate attempts. SeaCat Mobile Secure Gateway shields the application backend from the Internet, thus no one without authorization can execute even a simple port scan against it.
All traffic between the client and the application backend is strongly encrypted and digitally signed. Every connection attempt is audited and contains user identification which gives you much better control over who can access your information.
Our solution protects access to application backend by separating authorized clients (only allowed user can communicate) from the others. If the attacker is an insider, he may be able to trigger an attack against the application logic. However, a basic prerequisite have to be met - the attacker must be an authorized user or already inside your private network. And that is a completely different problem.
AUTOMATED SCANS WILL NOT DISCOVER YOUR APPLICATION BACKEND SERVER’S SOFTWARE AND ITS VERSION.
Your server will not be enlisted on a hacker's database for future attacks. When zero-day vulnerabilities are found, you will be spared from being exploited because hackers don't know that you are operating this application stack.
DEEP PACKET INSPECTION, MOBILE TRAFFIC MONITOR AND TRACKING ABILITIES
In the approach recommended by Syracuse University, deeply inspecting the packets by Intruder Detection System (IDS) or Web Application Firewall (WAF) is a powerful technique to avoid application attacks that use application logic (SQL Injection, XSS, etc.).
The inspection can be done inside the private network between SeaCat Mobile Secure Gateway and the application backend. Since the mobile application communication has very clear patterns, it is not difficult for the IDS/WAF to detect incorrect or malicious patterns. If this happens, IDS/WAF signals back to the Mobile Secure Gateway that a particular user is not trusted. The user’s cryptographic identity (certificate) is removed from the list of allowed users. Then this user will no longer be able to communicate with the Gateway, stopping further communication attempt to the backend. The Gateway can switch into a honeypot and record the hackers’ activities to see what he’s up to. It’s tricky to attack a defense system like this.
An example of using HTML5 and SeaCat to build a secure payment system
We went to the ICE Totally Gaming event last week and met a few developers who asked us how to build secure mobile payments using HTML5 and SeaCat.
You can see below an architecture example to secure mobile payment used in mobile gaming applications.
Mobile payment services are connected via a trusted network such as VPN and don’t pose significant risks.
The mobile application backend is covered by SeaCat Gateway that authorizes every connection attempt made by application/user identification from the mobile application.
Access to the application backend is allowed only to the authorized clients and prohibited for other parties. If an insider wants to start an attack against the application logic, through deep packet inspection process, SeaCat Gateway is informed, thus switch to honeypot mode and perform detailed recordings of suspicious activities.
If you’d like to get a true assessment of the security of your mobile application and its backend, please request a FREE Demo. Or, to learn more about TeskaLabs’ SeaCat Mobile Secure Gateway and how we can help you with the security of your mobile solutions, please visit www.teskalabs.com/products/seacat-mobile-secure-gateway.
- http://www.sitepoint.com/security-risks-html5-apps/ from SitePoint
- Custom Made vs. Off-The-Shelf Mobile Apps – The Issue of Security
- You Can Build Apps for the Apple TV, But Do You Know How to Do It Securely?
- We Know Why 85% of Mobile Apps Suck in Security. Do You?
- 7 Reasons Why Testing the Security of Mobile Applications Is Crucial for Enterprises
- The Top 5 Mobile Application Security Issues You Need to Address When Developing Mobile Applications
- What Is a Mobile Application Containerization, or Wrapper, and Why Must It Die?
Most Recent Articles
You Might Be Interested in Reading These Articles
What seems to be a Sci-Fi movie with “talking” vehicles and “flying” machines has now become a reality. Automotive companies, seeing huge opportunity and wanting to entice their customers, are rushing to produce more car features so drivers can avoid traffic congestion, plan the next route, check the status of the car, find an available parking space, request for road assistance, or notify friends/family members/business contacts of news.
Published on May 10, 2016
Security Researcher Filip Chytry: Online Security Is an Unattractive Topic - until People Get Hacked
I studied at Applied Cybernetics school and worked on various fields: robotics, networks and programming. There I got curious about security and became increasingly passionate about the industry, trying to learn more about cyber crime and attempting to hack into my classmates‘ computers for fun.
Published on August 20, 2015
Apple will want to dominate the market for TV apps. To achieve this objective, it’s understandable that Apple makes it easy for app developers to create apps and games for the Apple TV platform using tvOS and profit from them just as they have already done so for the iPhone and iPad devices. Developers can leverage similar frameworks and technologies since tvOS is just a modified version of the iOS. They can even retrofit the apps that were previously developed for iOS to support the Apple TV’s tvOS.
Published on June 29, 2016