What Are the Security Risks of HTML5 Apps?

By Jaykishan Panchal

The combinations of HTML5 and JavaScript has become a popular solution for developers to build apps and websites. Over the past years this combination has delivered increasing speed and reliability.

Although the W3C only approved HTML5 as a standard in October 2014, its adoption started many years ago. Presently, almost 30% of the Fortune 500 companies, which include tech giants like Google, Facebook, Netflix and Microsoft are using it.

A Gartner report found that over 50% of the mobile apps are likely to be based on HTML5 by 2016. One reason for its popularity is HTML5 being largely cross-platform. It allows developers to create apps for various platforms including iOS, Android, Windows, Mac and web applications.

The increasing popularity of JavaScript has been meteoric and is the perfect accompaniment to HTML5. Together, they are fast becoming dominant technologies for designing mobile applications.

This technology stack combination is not without its haters, problems and questions. One such question is…

Do HTML5 apps pose any security threats for developers and businesses?

The answer unfortunately is yes. Apps built with HTML5 are like any web-based applications. Developers should take proper security measures against cyber attacks to safeguard any stored data and communications. Unfortunately, many are doing little to protect themselves and their users against these threats.

Let’s consider what threats HTML5 mobile apps are facing.

Threats from Malicious Code

According to researchers from Syracuse University, HTML5 apps are most likely to add security risks via developer error. For example, executing malicious code automatically sent through Bluetooth, Wi-Fi or text messages.

This malicious code can capture sensitive information and expose the victim’s mobile device to an attacker. Worse, the malicious code can spread and cause the app to carry out undesired tasks such as sending SMS text messages. As the use of this platform is growing, its security weaknesses are becoming a bigger problem.

By using incorrect APIs developers make apps vulnerable and as a result they can send malicious code to the JavaScript engine for execution. Choosing correct APIs is critical to avoid this security breach.

Developers typically mix data and code together and Apps can become vulnerable to malicious code when user generated data originates from unreliable sources. This problem is not limited to HTML5 apps, but there are more channels from which a mobile device can become infected, unlike a web browser.

Apart from developer error, malicious code can be injected into an app through images and music files (as metadata), QR codes, Bluetooth transmission and SSID fields transmitted over WiFi. SMS messages displayed by the app can also contain malicious code.

Middleware is a Major Issue

HTML5 applications often need a middleware framework to be cross-platform. This middleware is one of the ways that JavaScript can call the operating system in its native language. This middleware is liable to malicious code injection attacks known as XSS (cross-site scripting) as middleware accepts both data and code and executes the latter automatically.

The risk is greater on mobile devices due to the permissions we give to apps, such as accessing contact lists, location data and cameras. The Syracuse researchers particularly mentioned PhoneGap, a popular middleware. Using plugins, PhoneGap can access various elements of your mobile device. Researchers found that 77 PhoneGap plugins out of the total 186 were exploitable. This means that these plugins could accept data+code from external channels and execute them.

Almost 764 free apps in the Google Play Store are using PhoneGap and researchers could carry out code injection attacks successfully on 2 of these apps. This is a small percentage considering there are over 12,000 free Android apps. The researchers said nothing about a potential solution and promised to be more specific in a future paper.

It's not just HTML5 based apps that expose users to security issues, but a problem that affects Apps generally. Appthority, a mobile app risk management vendor, analyzed 400 apps in its Winter 2014 App Reputation Report, which includes the top 100 paid and top 100 free iOS and Android apps. The report found a lot of risky practice in these apps and most are related to users’ privacy.

The report found that almost 70% of apps allow location tracking, 56% can identify the UDID and 31% can access the address book of the user. 53% of these apps share data with third-party analytics and ad networks, 69% use single sign-on and 51% of them allow in-app purchasing.

Out of all, “In-app purchasing” is especially risky due to the type of the data collected. It usually collects sensitive information such your email address, phone number, address and possibly bank details. This information could be shared with third parties like advertising networks and/or analytics companies and take the risk of being misused.

Domingo Guerra, the president and cofounder of Appthority states that for apps the growing trend is to monetize through in-app purchasing. He cited the example of one of the most hyped and downloaded free apps, Candy Crush Saga being “one of the top-grossing apps” as well.

These risky practices are not limited to free apps. The report mentions that almost 80% of the top paid Android and iOS apps also exhibited examples of risky practice.

The Solution

The researchers at Syracuse University didn’t give any concrete solutions. They suggest that the solution lies in one of the three approaches to XSS. These are:

  • Sanitization, which is filtering the code mixed with data.
  • Mitigation or restricting the permissions for untrusted code.
  • Tainting or tagging inputs from any unreliable sources and not allowing them to run.

Consider the following examples borrowed from the HTML5 Security Cheatsheet:

Displaying an HTML5 form and form action has the capability for form hijacking from outside the form.

<form id="test"><button form="test" formaction="javascript:alert(1)">X</button></form>

This form uses an input element with autofocus to call its own focus event handler, no user interaction required.

<input onfocus=write(1) autofocus/>

In the first example, users shouldn't be allowed to submit any markup containing attributes like form or formaction or even transform them to bogus attributes. The id attribute should be avoided for forms and submit buttons.

In the second example, developers need to keep in mind that markup submitted by users should not include autofocus attributes.

The best advice is to remove irrelevant or dangerous characters from content. Proper design strategies should contain no or minimal data caching and minimize logic on the client, keeping passwords, tokens, security profiles and credentials on the server. The focus should be on UI interaction with the server. It is possible to develop secure HTML5 apps by leaving no data behind in cache.

Developers need to be aware of the most potent mobile security threats and secure apps against them. Another useful resources is this detailed guideline for secure mobile development from the PCI SSC (Payment Card Industry Security Standards Council).

Your mobile technology must provide an authentication framework and robust security features including:

  • On-device encryption
  • Secure client/server communication
  • Access control
  • Offline authentication

Cross-platform applications are one of the holy grails of mobile app development, but never compromise on security issues and user experience. One way of achieving this is by focusing on the integration between the app, its cloud platform-specific features and remote authentication services and combine them with security best practices applicable for web development.

What are your experiences and advice with securing HTML based Apps?


HTML5 is a web interface technology. Of course, we love it since it easy to develop beautiful interfaces. But from a security point of view it is just as insecure as any other web technology.

The problem is that it will be easy to develop apps with stunning interfaces and advanced functionality that works cross-platform. Too easy maybe, so people will chose this environment without understanding the consequences.

It will be even more important to separate transaction from secure authentication (read multi-factor authentication). And the transaction itself must be protected with encryption schemes outside the browser environment. HTML5 is for interface building, not secure applications or IT systems.

So, in the long run it might even be harder to develop in HTML5 because of all extras you have to add. If you don't use a backend service for security and communication, like


Although I agree with the author that the HTML5 web apps can be insecure if you don't follow best practices around security but I'm not sure how are the risks mentioned in the above article have anything to do with features and functionalities introduced by HTML5 so I think the title is a bit misleading in that sense. XSS attack vectors are possible with JavaScript something that can be pre-dated before the HTML5 era. And PhoneGap isn't HTML5 - its a hybrid solution to develop mobile applications.



Learn Coding Online
Learn Web Development

Start learning web development and design for free with SitePoint Premium!

Get the latest in Mobile, once a week, for free.