Combining the Security Risks of Native and Web Development: Hybrid Apps

By Achim D. Brucker and Michael Herzberg.

Cross-platform frameworks, such as Apache Cordova, are becoming increasingly popular. They promote the development of hybrid apps that combine native, i.e., system specific, code and system independent code, e.g., HTML5/JavaScript. Combining native with platform independent code opens Pandora’s box: all the the security risks for native development are multiplied with the security risk of web applications.

In the first half of our talk, we start our talk with short introduction into hybrid app development, present specific attacks followed by a report on how Android developers are using Apache Cordova. In the second half of the talk, we will focus on developing secure hybrid apps: both with hands-on guidelines for defensive programming as well as recommendations for hybrid app specific security testing strategies.

Please cite this work as follows:
A. D. Brucker and M. Herzberg, “Combining the security risks of native and web development: Hybrid apps,” presented at the OWASP AppSec EU, Belfast, UK, May 12, 2017. Author copy: https://logicalhacking.com/publications/talk-brucker.ea-hybrid-app-security-2017/

BibTeX
@Unpublished{ talk:brucker.ea:hybrid-app-security:2017,
  date              = {2017-05-12},
  title             = {Combining the Security Risks of Native and Web Development:
                       Hybrid Apps},
  author            = {Achim D. Brucker and Michael Herzberg},
  venue             = {Belfast, UK},
  eventtitle        = {OWASP AppSec EU},
  abstract          = {Cross-platform frameworks, such as Apache Cordova, are
                       becoming increasingly popular. They promote the development of
                       hybrid apps that combine native, i.e., system specific, code
                       and system independent code, e.g., HTML5/JavaScript. Combining
                       native with platform independent code opens Pandora's box: all
                       the the security risks for native development are multiplied
                       with the security risk of web applications.
                       
                       In the first half of our talk, we start our talk with short
                       introduction into hybrid app development, present specific
                       attacks followed by a report on how Android developers are
                       using Apache Cordova. In the second half of the talk, we will
                       focus on developing secure hybrid apps: both with hands-on
                       guidelines for defensive programming as well as
                       recommendations for hybrid app specific security testing
                       strategies.},
  slideshare        = {key/JYn1hJCN5Sml5a},
  video             = {https://youtu.be/30yRXk70F7A},
  slideshare_width  = {595},
  slideshare_height = {485},
  area              = {security},
  note              = {Author copy: \url{https://logicalhacking.com/publications/talk-brucker.ea-hybrid-app-security-2017/}},
  pdf               = {https://logicalhacking.com/publications/talk-brucker.ea-hybrid-app-security-2017/talk-brucker.ea-hybrid-app-security-2017.pdf},
}