Mobile Application Security Issues for HTML5-based Mobile Apps

Application Security Issues for HTML5-based Mobile Apps

HTML is no longer restricted to just websites. With its latest edition, HTML5, the markup language family has now become a popular choice for mobile applications. After gathering the relevant data and researching, Gartner predicted two things; firstly, HTML5 would be the most commonly used language for mobile applications in 2015 and secondly, HTML5-based hybrid mobile app using technologies such as PhoneGap, Codova or React Native reach up to be 50% of all mobile apps 2016.

This is becoming more relevant to enterprises, a seen in below figures from Gartner. Hybrid and web apps account for 60% of total consumer apps and a whopping 90% of total enterprise mobile apps.

Gartner's table comparing Consumer/Enterprise Mobile Apps in 2015

Category Native Hybrid Web
Consumer 40 40 20
Enterprise 10 60 30

As large enterprises go mobile, they want to develop their portfolios of mobile apps to support a large number of functional tasks from various departments and business units. For this reason, HTML5 becomes more appealing to enterprises economically, according to Apperian, a Mobile App Management Company. [1]

HTML5 offers many advantages for building and deploying enterprise mobile apps in terms of cross-platform support, speed of development and ease of maintenance.

However, HTML5-based applications are not without downside and sometimes can be a source of inconvenience for mobile app developers.

  • App developers are restricted on what they can do while working with development frameworks like PhoneGap. For example, they have to use bridges to access native features.
  • Rendering HTML and CSS may take longer than rendering native components.
  • New versions of Android usually introduce new components (nicer datepickers, transition effects etc.) which don’t apply to HTML5-based apps. You need to “emulate” them which relatively take more time.

Mobile application security issue and what does this mean for enterprises?

As mentioned above, hybrid and web app account for 90% of total enterprise mobile apps. Half of mobile apps will use HTML5 which expands the attack surface of application backend servers.

Various studies and researchers found that HTML5 have a lot of security vulnerabilities which can be exploited to perform code injection attacks. Under the exploits, attackers “inject malicious code into a mobile device, hackers can only access data on the target device, but also use it to launch attacks on other devices.” [2] According to Jaykishan Panchal, “The malicious code can capture sensitive information and expose the victim’s mobile device to an attacker.” “Worse, the malicious code can spread and cause the app to carry out undesired tasks such as sending SMS text messages.” [3]

Application security issues inside HTML5 are often related to app developers making mistakes in the programming. But this should not surprise anybody, because obviously mobile app developers are not experts in security and thus have limited knowledge of mobile app security.

HTML5 gives developers more functionality, but at the same time introduces more vulnerability, for example, cross-site-scripting (XSS) [4] or other application attacks. When users allows other mobile apps to access locally stored data like photos, locations, contacts, they of course don’t know if these apps are malicious. Therefore, it is up to app developers to write code that prevent such intrusions and attacks from other apps in future, if such a situation arises. It’s also necessary to have a solution that can protect locally stored data of the mobile app from outside access. For example, TeskaLabs’ SeaCat SDK can protect cross-access from other malicious apps, in the case if the vulnerability already exists inside the protected app.

For more information, read this article by George Lawton, TechTarget, to understand “why HTML5 security needs to be at the forefront of architects' minds." [5]

HTML5 is not entirely to blame as mobile operating systems are vulnerable in general. Mobile is a fast growing segment, and mobile app development goes much faster than security. Everyone focuses on new functionalities and user experience rather than on security; security is just another burden.

Recommended solutions

Use this HTML5 security cheat sheet [6] as a guide to implement HTML 5 in a secure way.

Syracuse University’s researchers recommend to find solution in the following three approaches to XSS: 1) Sanitization, which is filtering the code mixed with data; 2) Mitigation or restricting the permissions for untrusted code and 3) Tainting or tagging inputs from any unreliable sources and not allowing them to run. (via SitePoint)

This solution has to be done on endpoint devices, inside the operating system or the application. The operating system must force untrusted program to stop or limit resources for this kind of code.

Realistically speaking mobile app developers are not expected to know everything about security measure, but in order to tackle this problem they need to collaborate with security experts during the design and development of the mobile application to write secure code and reduce/prevent flaws in programming and prevent this to happen in the future.

How SeaCat Mobile Secure Gateway helps your enterprise operate mobile applications securely?


There is no absolute and perfect mobile app security solution. The goal is to make it harder and more costly for attackers to conduct attacks.

Teskalabs’ SeaCat Mobile Secure Gateway operates on the application layer, but remains invisible for the actual mobile application. It indisputably authenticates every client connection and logs illegitimate attempts. SeaCat Mobile Secure Gateway shields the application backend from the Internet, thus no one without authorization can execute even a simple port scan against it.

All traffic between the client and the application backend is strongly encrypted and digitally signed. Every connection attempt is audited and contains user identification which gives you much better control over who can access your information.

Our solution protects access to application backend by separating authorized clients (only allowed user can communicate) from the others. If the attacker is an insider, he may be able to trigger an attack against the application logic. However, a basic prerequisite have to be met - the attacker must be an authorized user or already inside your private network. And that is a completely different problem.


Your server will not be enlisted on a hacker's database for future attacks. When zero-day vulnerabilities are found, you will be spared from being exploited because hackers don't know that you are operating this application stack.


In the approach recommended by Syracuse University, deeply inspecting the packets by Intruder Detection System (IDS) or Web Application Firewall (WAF) is a powerful technique to avoid application attacks that use application logic (SQL Injection, XSS, etc.).

The inspection can be done inside the private network between SeaCat Mobile Secure Gateway and the application backend. Since the mobile application communication has very clear patterns, it is not difficult for the IDS/WAF to detect incorrect or malicious patterns. If this happens, IDS/WAF signals back to the Mobile Secure Gateway that a particular user is not trusted. The user’s cryptographic identity (certificate) is removed from the list of allowed users. Then this user will no longer be able to communicate with the Gateway, stopping further communication attempt to the backend. The Gateway can switch into a honeypot and record the hackers’ activities to see what he’s up to. It’s tricky to attack a defense system like this.

An example of using HTML5 and SeaCat to build a secure payment system

We went to the ICE Totally Gaming event last week and met a few developers who asked us how to build secure mobile payments using HTML5 and SeaCat.

You can see below an architecture example to secure mobile payment used in mobile gaming applications.

Mobile payment services are connected via a trusted network such as VPN and don’t pose significant risks.

The mobile application backend is covered by SeaCat Gateway that authorizes every connection attempt made by application/user identification from the mobile application.

Access to the application backend is allowed only to the authorized clients and prohibited for other parties. If an insider wants to start an attack against the application logic, through deep packet inspection process, SeaCat Gateway is informed, thus switch to honeypot mode and perform detailed recordings of suspicious activities.

If you’d like to get a true assessment of the security of your mobile application and its backend, please request a FREE Demo. Or, to learn more about TeskaLabs’ SeaCat Mobile Secure Gateway and how we can help you with the security of your mobile solutions, please visit


  3. from SitePoint

Additional reading:

  1. Custom Made vs. Off-The-Shelf Mobile Apps – The Issue of Security
  2. You Can Build Apps for the Apple TV, But Do You Know How to Do It Securely?
  3. We Know Why 85% of Mobile Apps Suck in Security. Do You?
  4. 7 Reasons Why Testing the Security of Mobile Applications Is Crucial for Enterprises
  5. The Top 5 Mobile Application Security Issues You Need to Address When Developing Mobile Applications
  6. What Is a Mobile Application Containerization, or Wrapper, and Why Must It Die?

About the Author

Cindy Dam

TeskaLabs’ Marketing & Community Manager, Cindy Dam, has a penchant for hacking and storytelling. When she's not reading and writing about cyber hacking, she reads, writes, and comes up with mind and travel hacks.

You Might Be Interested in Reading These Articles

A Warning about Zero-Day Vulnerability

A zero-day, also called zero-hour, vulnerability is a security flaw in the code that cyber criminal can use to access your network. Zero-day attacks call for new technologies built from the ground up for today’s advanced threat landscape. There is no known fix, and by the time hackers attack, the damage is already done

Continue reading ...


Published on May 12, 2015

Should I Use Contactless (NFC) Payment Cards?

Nowadays, almost all smartphones contain NFC (Near field communication) technology. Contactless cards use this technology when they communicate with contactless payment terminals to exchange needed information and proceed with the transaction. However, you can also do this by using your smartphone.

Continue reading ...


Published on February 16, 2016

Security Is Driving the Adoption of Connected Cars

What seems to be a Sci-Fi movie with “talking” vehicles and “flying” machines has now become a reality. Automotive companies, seeing huge opportunity and wanting to entice their customers, are rushing to produce more car features so drivers can avoid traffic congestion, plan the next route, check the status of the car, find an available parking space, request for road assistance, or notify friends/family members/business contacts of news.

Continue reading ...

automotive security v2x

Published on May 10, 2016