By now, developers have grown accustomed to dealing with certain “traditional” threats when it comes to Web applications. For instance, issues like injection flaws and cross-site scripting have been on the OWASP Top 10 list for years. But take those same Web applications and convert them to a mobile HTML5 application, and suddenly older and “lower-impact” threats become significantly more high-risk for the mobile platform.
It’s important for developers to remember that any vulnerability that affects Web applications can also affect mobile HTML5 applications. And because of an increased availability of features, including local storage on the device, access to contacts, location, and other sensitive information with mobile apps, these threats can become magnified in a mobile environment.
Adding to this problem is the fact that many developers use multi-platform development/deployment tools that can actually introduce vulnerabilities into the application. Not to mention, many Web app specialists are now being asked to develop mobile apps without a proper understanding of security implications.
Here are five traditional threats that are magnified in a mobile HTML5 environment:
1. Local Storage: With traditional Web apps, local storage is mostly a moot point (with the exception of cookies), so the risk is only minimal. But in a mobile app, local storage is key to the user experience, and this practice elevates the impact of this vulnerability.
All too often, mobile HTML5 apps leave sensitive user data throughout the user’s memory space that can be accessed by an unauthorized user. This may include sensitive data in plaintext files, improperly encrypted files (such as unsalted hashes), or even the encryption keys themselves. Developers must assume that any data put into the user’s memory space will be seen and manipulated by other applications and malicious actors. Tip for Developers: Do not store any sensitive user data in the local memory space.
2. Cross-Origin Resource Sharing: CORS, or the use of both internal and external libraries and resources, is a well-known issue with Web apps, but the risks are often overlooked with mobile HTML5 apps. In fact, these apps are often configured to allow resources to be used and shared among external untrusted sources. This puts the app at a much higher risk of loading malicious external scripts, particularly if hit by a cross-site scripting attack.
Geoffrey Vaughan is an IT security consultant at Security Compass, an information security firm specializing in Web and mobile application security.
Guest Views are contributions by SD Times readers. Interested in contributing a Guest View? See the guidelines for the details.