SECURING MOBILE HYBRID APPLICATIONS THROUGH CONFIGURATIONS - FIRST LINE OF DEFENSE
Analytics
356 views ◎322 downloads ⇓
Abstract
Mobile hybrid apps have the potential to dominate the mobile and IoTs apps market. Cross-platform or hybrid apps are providing a promising development choice that appeals to a great body of developers. This development approach \wraps" standard web code (HTML, Javascript, and CSS) into a thin native layer, enabling the same code base to run on several platforms. This approach also provides a mechanism to access device native sensors such as camera, geolocation and more, through Javascript code. As much as this seems innovative and promising, enabling web-code to access device native sensors is comparable to opening a can of worms in security terms. Most web-based vulnerabilities can be leveraged in mobile apps context which means amplified damage. Apache Cordova is an open source library that is a common component in many hybrid platforms including PhoneGap and IBM Worklight. Yet, it suffers several security limitations such as a coarse-grained access control model, risky defaults, and for many developers a non-trivial configuration process. Hybrid app development is an intricate task as is, not to mention configuring these apps securely. Given the increased popularity of the approach itself and the proven tendency of developers to use platform-provided default settings, this work aims to harden the middleware by implementing security mechanisms. Addressing security limitations on the platform/ middle-ware level reduce the cost of potential breaches significantly. In mobile hybrid apps context, we are focusing on one main app component; that is the configurations. This work aims to provide different mechanisms to help developers by adopting configurations that are more aligned with the app requirements, and that implements the Least Privilege principle. Fine-grained and aligned configurations should help nullify several code-injection attacks. To achieve this, we present 2 frameworks to implement a fine-grained plugin access model. The first one is a page-level and the second is more granular to enforce policies on a state level. In addition, we provide a tool that is mainly meant to incorporate the developer into the configuration process. We have implemented CordovaConfig, an interactive web-based tool that is based on the state-level approach. Moreover, it provides more control to the developer and increases her awareness to the impact of risky settings. We have tested this tool, and our experiments demonstrate that it is a practical and a usable alternative for configuring hybrid apps. We believe that fortifying hybrid mobile development process with functionalities that complies with security principles and involves the developer, is essential to enhance the quality and security of hybrid apps as a product. This is especially relevant with the current absence of proper supporting tools.