What Are the Security Risks of HTML5 Apps?
Although the W3C only approved HTML5 as a standard in October 2014, its adoption started many years ago. Presently, almost 30% of the Fortune 500 companies, which include tech giants like Google, Facebook, Netflix and Microsoft are using it.
A Gartner report found that over 50% of the mobile apps are likely to be based on HTML5 by 2016. One reason for its popularity is HTML5 being largely cross-platform. It allows developers to create apps for various platforms including iOS, Android, Windows, Mac and web applications.
This technology stack combination is not without its haters, problems and questions. One such question is…
Do HTML5 apps pose any security threats for developers and businesses?
The answer unfortunately is yes. Apps built with HTML5 are like any web-based applications. Developers should take proper security measures against cyber attacks to safeguard any stored data and communications. Unfortunately, many are doing little to protect themselves and their users against these threats.
Let’s consider what threats HTML5 mobile apps are facing.
Threats from Malicious Code
According to researchers from Syracuse University, HTML5 apps are most likely to add security risks via developer error. For example, executing malicious code automatically sent through Bluetooth, Wi-Fi or text messages.
This malicious code can capture sensitive information and expose the victim’s mobile device to an attacker. Worse, the malicious code can spread and cause the app to carry out undesired tasks such as sending SMS text messages. As the use of this platform is growing, its security weaknesses are becoming a bigger problem.
Developers typically mix data and code together and Apps can become vulnerable to malicious code when user generated data originates from unreliable sources. This problem is not limited to HTML5 apps, but there are more channels from which a mobile device can become infected, unlike a web browser.
Apart from developer error, malicious code can be injected into an app through images and music files (as metadata), QR codes, Bluetooth transmission and SSID fields transmitted over WiFi. SMS messages displayed by the app can also contain malicious code.
Middleware is a Major Issue
The risk is greater on mobile devices due to the permissions we give to apps, such as accessing contact lists, location data and cameras. The Syracuse researchers particularly mentioned PhoneGap, a popular middleware. Using plugins, PhoneGap can access various elements of your mobile device. Researchers found that 77 PhoneGap plugins out of the total 186 were exploitable. This means that these plugins could accept data+code from external channels and execute them.
Almost 764 free apps in the Google Play Store are using PhoneGap and researchers could carry out code injection attacks successfully on 2 of these apps. This is a small percentage considering there are over 12,000 free Android apps. The researchers said nothing about a potential solution and promised to be more specific in a future paper.
It's not just HTML5 based apps that expose users to security issues, but a problem that affects Apps generally. Appthority, a mobile app risk management vendor, analyzed 400 apps in its Winter 2014 App Reputation Report, which includes the top 100 paid and top 100 free iOS and Android apps. The report found a lot of risky practice in these apps and most are related to users’ privacy.
The report found that almost 70% of apps allow location tracking, 56% can identify the UDID and 31% can access the address book of the user. 53% of these apps share data with third-party analytics and ad networks, 69% use single sign-on and 51% of them allow in-app purchasing.
Out of all, “In-app purchasing” is especially risky due to the type of the data collected. It usually collects sensitive information such your email address, phone number, address and possibly bank details. This information could be shared with third parties like advertising networks and/or analytics companies and take the risk of being misused.
Domingo Guerra, the president and cofounder of Appthority states that for apps the growing trend is to monetize through in-app purchasing. He cited the example of one of the most hyped and downloaded free apps, Candy Crush Saga being “one of the top-grossing apps” as well.
These risky practices are not limited to free apps. The report mentions that almost 80% of the top paid Android and iOS apps also exhibited examples of risky practice.
The researchers at Syracuse University didn’t give any concrete solutions. They suggest that the solution lies in one of the three approaches to XSS. These are:
- Sanitization, which is filtering the code mixed with data.
- Mitigation or restricting the permissions for untrusted code.
- Tainting or tagging inputs from any unreliable sources and not allowing them to run.
Consider the following examples borrowed from the HTML5 Security Cheatsheet:
Displaying an HTML5 form and form action has the capability for form hijacking from outside the form.
This form uses an input element with autofocus to call its own focus event handler, no user interaction required.
<input onfocus=write(1) autofocus/>
In the first example, users shouldn't be allowed to submit any markup containing attributes like
formaction or even transform them to bogus attributes. The
id attribute should be avoided for forms and submit buttons.
In the second example, developers need to keep in mind that markup submitted by users should not include
The best advice is to remove irrelevant or dangerous characters from content. Proper design strategies should contain no or minimal data caching and minimize logic on the client, keeping passwords, tokens, security profiles and credentials on the server. The focus should be on UI interaction with the server. It is possible to develop secure HTML5 apps by leaving no data behind in cache.
Developers need to be aware of the most potent mobile security threats and secure apps against them. Another useful resources is this detailed guideline for secure mobile development from the PCI SSC (Payment Card Industry Security Standards Council).
Your mobile technology must provide an authentication framework and robust security features including:
- On-device encryption
- Secure client/server communication
- Access control
- Offline authentication
Cross-platform applications are one of the holy grails of mobile app development, but never compromise on security issues and user experience. One way of achieving this is by focusing on the integration between the app, its cloud platform-specific features and remote authentication services and combine them with security best practices applicable for web development.
What are your experiences and advice with securing HTML based Apps?