Mitigating Code Injection Risks in Cross-Platform Mobile Development

It’s safer when there are no breaches in software logic at all, but in reality, that can’t universally apply to all solutions. For hybrid apps (which are different from cross-platform apps), these “breaches” just come naturally, making the apps vulnerable to XSS (cross-site scripting) code injection attacks. Let’s look at the conditions in which hybrid mobile apps get compromised and find ways to avoid this problem.

In Theory

Powered by HTML, CSS, and JavaScript, hybrid mobile apps are web apps that exist in the native WebView browser and have to use plugins to access device hardware. Just like in web apps, in hybrid apps, data and code are treated equally. As a result, there’s a risk of malicious code chunks being received and then executed, all unknown to the user.

While web apps can be attacked via a web server only, hybrid apps support multiple channels for data to get through: Wi-Fi, NFC, the file system, and a camera, to name a few. If an app uses an unsafe API, it can then trigger the received data and execute the malicious code.

What’s more, when an infected hybrid app accesses hardware, the app communicates with the plugin and can infect further device resources. That’s why a hybrid app is even more dangerous in this regard than a web app is.

In Practice

In their report for Mobile Security Technologies (MoST) 2014, the researchers of the Syracuse University, NY, concluded a study. After creating vulnerability detecting tools, the researchers chose 15,510 mobile apps developed on PhoneGap and ran their automated vulnerability check. Of all the apps, 478 were vulnerable to code injection, and 53% of those turned out to have unsafe APIs.

Further research showed that any of these vulnerable mobile apps can trigger a chunk of malicious code while a user simply views audio file metadata or scans an image. The entire device can then be infected with an executable command that freely accesses any resources. For instance, as suggested by the researchers from the Syracuse University, a QR code with injected geolocation.watchPosition can invade location services and make the device remotely trackable by a third party.

How to Secure a Hybrid App

Basically, for a device to be infected, malicious code has to go through two steps: first, it invades an open channel in the app, and then it is triggered. If mobile app developers control both of these steps, risks can be minimized.

Code Filtering

Helping hybrid apps to distinguish code from data can be a solution that will block the attack at the very first stage of invasion. Whatever the channel is used for data to enter the app, it should be filtered so that it doesn’t contain any commands. Google Caja is one of the ready-made ‘sanitizers’ developers can use: the tool rewrites HTML and CSS and keeps free variables out of JavaScript, making any incoming data safe to view.

Safe APIs

The current stats of API safety are alarming, as many hybrid apps use APIs such as innerHTML, which appeared in about 90% of the vulnerable apps, as studied by the Syracuse University research group. This API is what helps the injected malicious code to get automatically executed, just like document.write(), document.writeIn(), outerHTML and multiple jQuery APIs do.

Safe APIs won’t trigger malicious code even if it was received via one of the channels without being filtered. Examples of safe APIs include innerText, outerText, textContent, and value, as they don’t extract the code from the data and view it only as text.

Data Display Alternatives

Developers can teach their apps to take special precautions while handling data received via one of the channels and identified as potentially dangerous. It can be either viewed as a plain text line with no executable JavaScript or opened in an actual web browser instead of the WebView, which would limit the risks and restrict device resources from the threat of malicious code.

Large-Scale Solutions

A NoInjection patch for PhoneGap was suggested by the Syracuse University research group and aimed at PhoneGap and Cordova framework developers. The patch is supposed to be a powerful filter for any incoming data – not at the app level, but the framework level. With a solution like this already implemented in the cross-platform development tools, hybrid apps will be automatically saved from code injection even if their developers don’t know about such risks.

Endnote

Although it’s the web nature of hybrid apps that is partially responsible for their vulnerabilities, there’s no reason to avoid this type of cross-platform mobile development entirely. Still, mobile app developers should be seriously concerned with mitigating the risks while creating their apps in PhoneGap and Cordova. Filtering the code at the app level, using safe APIs as well as an alternative data display for potentially malicious data are all effective ways to prevent apps from code injection attacks.