It’s safer when there are no breaches in software logic at all, but in reality, that can’t universally apply to all solutions. For hybrid apps (which are different from cross-platform apps), these “breaches” just come naturally, making the apps vulnerable to XSS (cross-site scripting) code injection attacks. Let’s look at the conditions in which hybrid mobile apps get compromised and find ways to avoid this problem.
While web apps can be attacked via a web server only, hybrid apps support multiple channels for data to get through: Wi-Fi, NFC, the file system, and a camera, to name a few. If an app uses an unsafe API, it can then trigger the received data and execute the malicious code.
What’s more, when an infected hybrid app accesses hardware, the app communicates with the plugin and can infect further device resources. That’s why a hybrid app is even more dangerous in this regard than a web app is.
In their report for Mobile Security Technologies (MoST) 2014, the researchers of the Syracuse University, NY, concluded a study. After creating vulnerability detecting tools, the researchers chose 15,510 mobile apps developed on PhoneGap and ran their automated vulnerability check. Of all the apps, 478 were vulnerable to code injection, and 53% of those turned out to have unsafe APIs.
Further research showed that any of these vulnerable mobile apps can trigger a chunk of malicious code while a user simply views audio file metadata or scans an image. The entire device can then be infected with an executable command that freely accesses any resources. For instance, as suggested by the researchers from the Syracuse University, a QR code with injected geolocation.watchPosition can invade location services and make the device remotely trackable by a third party.
How to Secure a Hybrid App
Basically, for a device to be infected, malicious code has to go through two steps: first, it invades an open channel in the app, and then it is triggered. If mobile app developers control both of these steps, risks can be minimized.
The current stats of API safety are alarming, as many hybrid apps use APIs such as innerHTML, which appeared in about 90% of the vulnerable apps, as studied by the Syracuse University research group. This API is what helps the injected malicious code to get automatically executed, just like document.write(), document.writeIn(), outerHTML and multiple jQuery APIs do.
Safe APIs won’t trigger malicious code even if it was received via one of the channels without being filtered. Examples of safe APIs include innerText, outerText, textContent, and value, as they don’t extract the code from the data and view it only as text.
Data Display Alternatives
A NoInjection patch for PhoneGap was suggested by the Syracuse University research group and aimed at PhoneGap and Cordova framework developers. The patch is supposed to be a powerful filter for any incoming data – not at the app level, but the framework level. With a solution like this already implemented in the cross-platform development tools, hybrid apps will be automatically saved from code injection even if their developers don’t know about such risks.
Although it’s the web nature of hybrid apps that is partially responsible for their vulnerabilities, there’s no reason to avoid this type of cross-platform mobile development entirely. Still, mobile app developers should be seriously concerned with mitigating the risks while creating their apps in PhoneGap and Cordova. Filtering the code at the app level, using safe APIs as well as an alternative data display for potentially malicious data are all effective ways to prevent apps from code injection attacks.