Security for web-embedded mobile apps

hybrid mobile apps

The number of smartphone (mobile) users worldwide in 2014 was nearly 1.6 billion, and is estimated to grow to 2.5 billion by 2019. To reach the maximum number of users for revenue, mobile application (app) developers need to produce a mobile app in different popular mobile platforms such as Android and iOS, amongst others. To save time and resources in developing one app for multiple platforms, a new trend in the mobile industry is to employ web technologies in mobile app development so that mobile apps can be write-once-run-anywhere. In this technology, the core app code is written in HTML5 and JavaScript, and is instantly ported to native apps for various specific mobile platforms by a middle-tier development framework. The web content, including JavaScript code, is housed in a web container (in-app embedded browser) in the native app, and can interact with the device through JavaScript APIs. Such mobile apps are popularly known as “hybrid”, “web-based”, or “HTML5-based” mobile apps.

In April 2015, a survey revealed that 65% of 178 IT organizations prefer to use hybrid frameworks for mobile app development. There are more than 70 such hybrid app frameworks released in the last few years, including Cordova, Ionic, Onsen, Intel-XDX, Sencha, to name just a few. Just in July 2016, Facebook released React Native, a JavaScript library that is anticipated to be the future of hybrid app development due to its high performance, ability to provide a highly responsive and fluid-like UI, and third-party plug-in compatibility.

In addition to hybrid mobile apps, most native mobile apps also use embedded browsers to display external web content such as their website, advertisements, or social network plugins. A recent study revealed that 85% of Android apps contain web content in their embedded browsers. We henceforth refer to hybrid mobile apps and native mobile apps with web content collectively as `web-embedded mobile apps’.

Although web-embedded mobile apps bring strong advantages to the mobile development industry, they also severely exacerbate the security problems of mobile apps, due to the exposure of sensitive device resources to pernicious web-based attacks, which is not true of typical native mobile apps. A recent large-scale study on nearly one million web-embedded mobile apps revealed that 28% of them (i.e., about 280 thousand apps) have a least one vulnerability that attackers can exploit to launch serious cyber-attacks. Numerous other studies provide research and experiments that further highlight this issue.

One critical security issue is that any JavaScript code in hybrid mobile apps, including code from a third-party or from an injection attack, can access the embedded webpage; they can subsequently access sensitive device resources through the hybrid framework-provided bridge code, a feature which attackers often exploit to launch cyber-attacks. For example, pic2shop, a popular web-based mobile app available for Android, iOS, and Windows Phone, is vulnerable to a cross-site scripting attack, which allows attackers to inject malicious JavaScript code in the form of a 2D barcode to steal sensitive information of the device, e.g., geolocation information, contact lists, to send to the attacker’s server.

Another serious issue is that loading external web content, either in a webpage from a trusted website or piece of HTML containing JavaScript code such as advertisements, in embedded browsers (in both hybrid and native apps with embedded web content) also creates a perilous security hole. App developers normally filter untrusted domains in their apps, however, the attempt has mostly resulted in ineffective or inconsistent enforcement. Consider the example of CVS Caremark, a native mobile app developed by the CVS Pharmacy retail enterprise, available on Android and iOS, with more than 100,000 downloads on the Android market alone. CVS Caremark uses an embedded browser object to render the web content from the CVS server and disallows untrusted origins; however, it contains a vulnerability that allows attackers to navigate to a malicious webpage with malicious JavaScript code to steal sensitive information such as user ID, and control device resources, such as the camera.

Standard permission controls built into current mobile platforms can only enforce coarse-grained `all-or-nothing’ access control, and do not suffice to protect users from aforementioned cyber-attacks because they do not distinguish between multiple principals (different origins or parties) in an app. For example, third-party web code or malicious code from injection attacks loaded into a web-embedded mobile app can access the geolocation resource if the app has been granted the geolocation permission. Same-origin policy implemented in embedded browsers only protects confidential data of the DOM (Document Object Model), leaving the JavaScript bridge to the mobile device open for cross-origin access. State-of-the-art solutions tackle these security issues by either fixing hybrid frameworks or modifying the embedded browser implementation. There are several drawbacks of these proposals. First, focusing on a particular hybrid framework can only protect the JavaScript bridge of the framework, and is not applicable for native apps embedding web content. Second, modifying the embedded browser implementation requires an open-source mobile platform (e.g., WebView for Android) and the solutions only applicable to that platform. Furthermore, none of these solutions track data flow in web-embedded mobile apps, allowing information leakage attacks as in aforementioned attack examples.

Our research offers a developer-centric solution that addresses the drawbacks presented by current state-of-the-art, outlined above. Our research will provide security for web-embedded mobile apps at the level of the webpage and JavaScript code. Our solution will designed to provide web-embedded mobile app developers with tools and techniques to enforce fine-grained, multi-principal access control and information flow policies in JavaScript operations. The enforcement framework will be placed at the web level, and therefore will not require modification of embedded browsers, resulting in high-performance, platform-agnostic security provisioning.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.