A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services

Web traffic is increasingly trending towards mobile devices driving developers to tailor web content to small screens and customize web apps using mobile-only capabilities such as geo-location, accelerometers, offline storage, and camera features. Hybrid apps provide a cross-platform, device independent, means for developers to utilize these features. They work by wrapping web-based code, i.e., HTML5, CSS, and JavaScript, in thin native containers that expose device features. This design pattern encourages re-use of existing code, reduces development time, and leverages existing web development talent that doesn't depend on platform specific languages. Despite these advantages, the newness of hybrid apps raises new security challenges associated with integrating code designed for a web browser with features native to a mobile device. This paper explores these security concerns and defines three forms of attack that can specifically target and exploit hybrid apps connected to web services. Contributions of the paper include a high level process for discovering hybrid app attacks and vulnerabilities, definitions of emerging hybrid attack vectors, and a test bed platform for analyzing vulnerabilities. As an evaluation, hybrid attacks are analyzed in the test bed showing that it provides insight into vulnerabilities and helps assess risk.

[1]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[2]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.

[3]  Georgios Kambourakis,et al.  From keyloggers to touchloggers: Take the rough with the smooth , 2013, Comput. Secur..

[4]  Esteban Javier,et al.  Case study on mobile applications UX: effect of the usage of a crosss-platform development framework , 2014 .

[5]  Tim A. Majchrzak,et al.  Evaluating Cross-Platform Development Approaches for Mobile Applications , 2012, WEBIST.

[6]  Jeffrey Voas,et al.  Mobile-App Addiction: Threat to Security? , 2011, IT Professional.

[7]  Ray Hunt Security testing in Android networks - A practical case study , 2013, 2013 19th IEEE International Conference on Networks (ICON).

[8]  Phu H. Phung,et al.  A two-tier sandbox architecture for untrusted JavaScript , 2012 .

[9]  John M. Wargo,et al.  PhoneGap Essentials: Building Cross-Platform Mobile Apps , 2012 .

[10]  Lorrie Faith Cranor,et al.  Improving App Privacy: Nudging App Developers to Protect User Privacy , 2014, IEEE Security & Privacy.

[11]  Ankur Agarwal,et al.  A secure extensible container for hybrid mobile applications , 2013, 2013 Proceedings of IEEE Southeastcon.

[12]  Tommi Mikkonen,et al.  Apps vs . Open Web : The Battle of the Decade , 2011 .

[13]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[14]  Anurag Kumar Jain,et al.  Addressing Security and Privacy Risks in Mobile Applications , 2012, IT Professional.

[15]  Wesley J. Chun,et al.  Python Web Development with Django , 2008 .

[16]  Zhoujun Li,et al.  Program Slicing Stored XSS Bugs in Web Application , 2011, 2011 Fifth International Conference on Theoretical Aspects of Software Engineering.

[17]  Mohamed Shehab,et al.  Reducing Attack Surface on Cordova-based Hybrid Mobile Apps , 2014, MobileDeLi '14.

[18]  Sakari Luukkainen,et al.  HTML 5 in Mobile Devices -- Drivers and Restraints , 2013, 2013 46th Hawaii International Conference on System Sciences.

[19]  William Enck,et al.  NativeWrap: ad hoc smartphone application creation for end users , 2014, WiSec '14.

[20]  Frank Piessens,et al.  JSand: complete client-side sandboxing of third-party JavaScript without browser modifications , 2012, ACSAC '12.

[21]  Tadayoshi Kohno,et al.  Sex, Lies, or Kittens? Investigating the Use of Snapchat's Self-Destructing Messages , 2014, Financial Cryptography.

[22]  Kirsi Helkala,et al.  Biometric Gait Authentication Using Accelerometer Sensor , 2006, J. Comput..