Hybrid apps – which see developers create apps in HTML or JavaScript, languages usually reserved for websites – have risen in popularity in recent years, but makers need to be wary as they are more susceptible to attacks, warned Andrew Whaley, VP of engineering at security company Arxan Technologies (pictured).
Speaking to Mobile World Live, he explained: “hybrid apps have become extremely popular because the base code can be used on multiple platforms, saving the developer the arduous job of having to recreate it from scratch each time.”
This means they access the markets for both Android and Apple while greatly cutting down on time and resources. It also makes it much easier to break into new markets such as smart TVs, where the vastly different architecture means porting a mobile app is usually a considerable amount of work.
The technique is particularly popular for mobile gaming and digital media apps.
However, hybrid apps are more vulnerable to attack than mobile apps written in native binary code because JavaScript and HTML typically require less skill to reverse engineer and tamper with.
“Because the app is actually running in a web browser with all of the browser capabilities around it, it’s also easier for attackers to pull off techniques like remote man-in-the-middle attacks, where data is intercepted as it is transmitted,” explained Whaley.
Attackers can use these flaws to steal information stored or sent by the app, which could include sensitive data such as financial and personal details, or biometric details used for authentication.
Once an app is cracked, an attacker can also use it as a vector for malware to attack other apps on the victim’s device, or even the company behind the app itself.
Protection
One of the most effective and accessible approaches to securing hybrid apps, according to Whaley, is to “combine obfuscation with runtime protection techniques and apply them to the JavaScript or HTML code embedded within the app”.
Obfuscation is the process of transforming the software programme into code which is difficult to disassemble and understand, but offers the same functionality as the original.
The software remains completely functional, but is extremely resistant to reverse-engineering as the code is effectively unusable to an unauthorised user.
As for runtime protection, it is about giving the app the ability to detect if it has been tampered with or may be under attack.
“Anti-tamper controls can be woven into the code, enabling it to checksum itself in runtime. Each time the hybrid app is opened, it will check its own code to confirm it is in its original state and has not been tampered with,” said Whaley.
The app will also be able to determine if it was booted up in a normal mobile device, rather than the sandbox environments attackers typically use when hacking apps.
This is hidden within the JavaScript code itself so even if the app is disassembled it will still be effective.
Consumers beware
It is not just hybrid apps which pose a security risk. Other apps can be vulnerable too.
“The greatest risk to a consumer is giving an attacker control of their device and everything it holds,” said Whaley.
With most people now using their mobiles for almost everything, letting an attacker in can be devastating and open the door to threats including identity theft and massive financial fraud.
“Some of the most insidious mobile malware we see in the wild today uses a raft of different advanced techniques, taking control of the touchscreen, call and SMS features to trick their way into secure banking applications,” he said.
Users need to be extremely careful about what they download onto their device. A common trick for attackers to deliver malware is to hide it within a fake version of a popular real app. Dedicated attackers will use code stolen from hacking the real app to create a convincing clone that runs as normal while infecting the user’s device.
Consumers should ensure they only download apps from official app stores.
“It’s worth noting that though attackers have been able to evade app store security measures with increasing frequency, consumers should still exercise caution and stay clear of any apps that look suspicious,” advised Whaley.
Comments