Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why businesses should use caution with HTML5-based mobile apps

Antone Gonsalves | June 18, 2014
University researchers have found that HTML5-based mobile apps, which are expected to become more prevalent over the next several years, could add security risks for businesses.

University researchers have found that HTML5-based mobile apps, which are expected to become more prevalent over the next several years, could add security risks for businesses.

Through developer error, the Web technology could automatically execute malicious code sent by an attacker via Wi-Fi, Bluetooth or a text message, researchers at Syracuse University reported last month at the Mobile Security Technologies Conference in San Jose, Calif.

"The malicious code can surreptitiously capture the victim's sensitive information off their mobile device and ex-filtrate it to an attacker," Jack Walsh, a mobile security expert at ICSA Labs, said Monday in a blog post on the research. "Second, and potentially worse, the app may spread its malicious payload like a worm — SMS text messaging itself to all of the user's contacts."

Security weaknesses introduced in HTML5-based apps could become a bigger problem as their use grows. Because of the cross-platform nature of the Web technology, it is expected to be in more than half of all mobile apps by 2016, according to Gartner.

Developers introduce the vulnerability by using the wrong application programming interface (API) that allows the app to send code to the JavaScript engine for execution, the researchers said. In studying the problem, they found two HTML5-based apps in production that were vulnerable to attack.

Choosing the correct API is critical because the apps, which are a combination of the latest HTML standard, cascading style sheets (CSS) and JavaScript, allow for data and code to be mixed together.

If the developers just want to process data, but use the wrong APIs, the code in the mixture can be automatically executed, the researchers said.

"If such a data-and-code mixture comes from an untrustworthy place, malicious code can be injected and executed inside the app," the researchers said.

The risk of developer error is not unique to HTML5 apps.

"An HTML5-based app is no different from a web-based application and the same security measures should apply to both," Bogdan Botezatu, senior e-threat analyst for Bitdefender, said.

Ways in which an attacker could send a malicious code-data string to an HTML5 app include an SSID field sent over a Wi-Fi access point, a QR code, JPEG image or as metadata within an MP3 music file. The SSID, or service set identifier, is used in connecting devices to a network.

Other places malicious code could be hidden are in an SMS message displayed by the app. The code could also be sent from an infected device via Bluetooth if the app attempts a pairing.

In order for HTML5-based apps to be cross-platform, they require a middleware framework that lets them connect to the underlying system resources, such as files, device sensors and the camera.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.