Why businesses should use caution with HTML5-based mobile apps

University researchers have found that HTML5-based mobile apps, which are expected to become more prevalent over the next several years, could add security risks for businesses.

Through developer error, the Web technology could automatically execute malicious code sent by an attacker via Wi-Fi, Bluetooth or a text message, researchers at Syracuse University reported last month at the Mobile Security Technologies Conference in San Jose, Calif.

[Even Apple and Google can't protect users from inherent mobile app risks]

"The malicious code can surreptitiously capture the victim's sensitive information off their mobile device and ex-filtrate it to an attacker," Jack Walsh, a mobile security expert at ICSA Labs, said Monday in a blog post on the research. "Second, and potentially worse, the app may spread its malicious payload like a worm -- SMS text messaging itself to all of the user's contacts."

Security weaknesses introduced in HTML5-based apps could become a bigger problem as their use grows. Because of the cross-platform nature of the Web technology, it is expected to be in more than half of all mobile apps by 2016, according to Gartner.

Developers introduce the vulnerability by using the wrong application programming interface (API) that allows the app to send code to the JavaScript engine for execution, the researchers said. In studying the problem, they found two HTML5-based apps in production that were vulnerable to attack.

Choosing the correct API is critical because the apps, which are a combination of the latest HTML standard, cascading style sheets (CSS) and JavaScript, allow for data and code to be mixed together.

If the developers just want to process data, but use the wrong APIs, the code in the mixture can be automatically executed, the researchers said.

"If such a data-and-code mixture comes from an untrustworthy place, malicious code can be injected and executed inside the app," the researchers said.

The risk of developer error is not unique to HTML5 apps.

"An HTML5-based app is no different from a web-based application and the same security measures should apply to both," Bogdan Botezatu, senior e-threat analyst for Bitdefender, said.

Ways in which an attacker could send a malicious code-data string to an HTML5 app include an SSID field sent over a Wi-Fi access point, a QR code, JPEG image or as metadata within an MP3 music file. The SSID, or service set identifier, is used in connecting devices to a network.

Other places malicious code could be hidden are in an SMS message displayed by the app. The code could also be sent from an infected device via Bluetooth if the app attempts a pairing.

In order for HTML5-based apps to be cross-platform, they require a middleware framework that lets them connect to the underlying system resources, such as files, device sensors and the camera.

Google Android, Apple iOS and Windows Phone have different containers that apps use for accessing services, so developers let the framework creators handle the plumbing underneath the Web app.

Examples of frameworks include PhoneGap, RhoMobile and Appcelerator. The researchers studied 186 PhoneGap plugins and found 11 that were vulnerable to the code-injection attack.

[Security analysis of mobile banking apps reveals significant weaknesses]

While the researchers only used PhoneGap and Android for their work, the same problems were applicable across operating systems.

"Since apps are portable across platforms, so are their vulnerabilities," the researchers said. "Therefore, our attacks also work on other platforms."