HTML5 has been gaining steam among mobile app developers for several years now. It’s advantages over native apps, such as interoperability across devices, speedier development times and ease of maintenance are some of the big reasons why Gartner predicts that, by 2016, HTML5 will be used in more than half of all mobile apps. However, while HTML5 may make developers’ and businesses’ lives easier, it also has one potentially serious flaw: mobile apps based on HTML5 are more susceptible to code injection attacks.
That’s the conclusion reached in a new study by researchers at Syracuse University, which demonstrated such a flaw in some existing HTML5 apps. By exploiting vulnerabilities in these apps to inject malicious code into a mobile device, hackers can only access data on the target device, but also use it to launch attacks on other devices. The increasing use of HTML5 for mobile apps means that native apps which are currently immune to these sorts of attacks may, in the future, become less secure as they are ported to HTML5.
Middleware is the problem
HTML5 mobile apps run within a web container that supports HTML5 and JavaScript, such as WebView on Android. While these containers sandbox the web code to protect the operating system, middleware has been developed to allow the JavaScript to make calls to the system in the native language (for example, to access a camera). It’s this middleware that is susceptible to code injection attacks.
Web frameworks, in general, are susceptible to malicious code injection (better known as cross-site scripting, XSS, attacks) because they accept both data and code (e.g., HTML-tagged content and JavaScript), automatically executing the latter. The situation is more dangerous on mobile devices, however, because of all the permissions we generally give apps, like accessing location data, contact lists, cameras, etc.
Also, unlike a web browser on a computer, there are more channels through which malicious code can be sent to a mobile device. For example, code can be injected as part of the SSID for a Wi-Fi hotspot, directly in a barcode or QR code or in the metadata for a media file. Once malicious code is injected in one app, it can be injected into other apps or spread to other devices completely (for example, through SMS).
The Syracuse researchers set out to demonstrate that existing HTML5 apps can be attacked in this manner. In particular, they looked at apps that used a popular open source middleware called PhoneGap. PhoneGap uses plugins to access parts of the mobile device beyond the web container. Of the 186 PhoneGap plugins available at the time, they found that 77 were exploitable, meaning that they would accept data (which could contain code) from an external channel and return it to the web container, where it could be executed.
Doing an analysis of 764 free Android apps that used PhoneGap, the researchers were able to successfully carry out code injection attacks on 2 of the apps. While that’s a small percentage (just 0.26%), consider that there were more than 12,000 free apps in the Google Play store at the time (so, 6.5% of the apps used PhoneGap). As the percentage of mobile apps using HTML5 grows, the number of apps which can be attacked this way could grow quickly.
What’s the solution for developers, then, to ensure their HTML5 apps aren’t susceptible to such attacks? Unfortunately, the authors promise to address that more specifically in a forthcoming paper. However, they suggest that prevention will take one of three general approaches to XSS: sanitization (filter out code mixed in with data), tainting (tag inputs from untrusted sources and don’t run it) or mitigation (restrict the permissions of untrusted code).
In any case, the point is, while HTML5 presents many advantages to those building (and using) mobile apps, it also presents some significant new challenges. So, if you’re building mobile apps with HTML5, be sure to read up on the latest on HTML5 security and, as Walter White would say, tread lightly.