HTML5 Mobile Apps Security Issues

Get a Free Quote
28 February 2013
Comments: 0

Tags: , ,

Three weeks ago techcrunch published an article on how was fined for stealing their user’s contact list and saving it onto their servers. Path was made to pay such a huge fine just because it did not comply with COPPA. The also also elaborated on how the FTC introduced a new set of guidelines for mobile developers.

HTML5 Apps Security IssueThis is applicable more to the HTML5 apps. The reason is even a simple app created using HTML5 can compromise the user privacy and security. The FTC gave a simple example of how a simple harmless alarm clock app if built using HTML5 can create a security lapse. Just a single single javascript injection is enough to create the security lapse. It just requires loading of content from a remote location. Something as simple as a TOS page or a simple push notification can bring in a malicious code. So javascript injection can give a lot of control to an attacker. Another area where HTML5 apps can cause a security issue is the use of local storage (as that will not be flushed), and while the app uses the native DB and file system.

This is more common in apps created using the free (or custom) platforms, where stealing the users contact list and tracking user location is very common.  Any app created that uses certain elements of HTML5, even when it is created as a native app is vulnerable.

HTML5 apps that runs within a mobile browser too is vulnerable for injection attacks, but the quantum of damage will be less. The attack will be restricted to accessing information like current location.

The simple way to counter it is to go for a 100% native app and avoid javascript injection completely. Another way is to go for a mobile app only when it is truly necessary. A good responsive and adaptable website is a better alternative to an insure app.

Leave a Reply

Your email address will not be published. Required fields are marked *