Combining the Security Risks of Native and Web Development: Hybrid Apps

by Achim D. Brucker and Michael Herzberg

Cross-platform frameworks, such as Apache Cordova, are becoming increasingly popular. They promote the development of hybrid apps that combine native, i.e., system specific, code and system independent code, e.g., HTML5/JavaScript. Combining native with platform independent code opens Pandora's box: all the the security risks for native development are multiplied with the security risk of web applications.

In the first half of our talk, we start our talk with short introduction into hybrid app development, present specific attacks followed by a report on how Android developers are using Apache Cordova. In the second half of the talk, we will focus on developing secure hybrid apps: both with hands-on guidelines for defensive programming as well as recommendations for hybrid app specific security testing strategies.

Keywords:
Categories:
Documents:

QR Code for talk:brucker.ea:hybrid-app-security:2017.Please cite this article as follows:
Achim D. Brucker and Michael Herzberg. Combining the Security Risks of Native and Web Development: Hybrid Apps. OWASP AppSec EU, 12. may. 2017.
(slides) (handout) (BibTeX) (Share article on LinkedIn. Share article on CiteULike. )

BibTeX
@Talk{ talk:brucker.ea:hybrid-app-security:2017,
abstract = {Cross-platform frameworks, such as Apache Cordova, are becoming increasingly popular. They promote the development of hybrid apps that combine native, i.e., system specific, code and system independent code, e.g., HTML5/JavaScript. Combining native with platform independent code opens Pandora's box: all the the security risks for native development are multiplied with the security risk of web applications.\\\\In the first half of our talk, we start our talk with short introduction into hybrid app development, present specific attacks followed by a report on how Android developers are using Apache Cordova. In the second half of the talk, we will focus on developing secure hybrid apps: both with hands-on guidelines for defensive programming as well as recommendations for hybrid app specific security testing strategies.},
author = {Achim D. Brucker and Michael Herzberg},
day = {12},
event = {OWASP AppSec EU},
handout = {https://www.brucker.ch/bibliography/download/2017/talk-brucker.ea-owasp-hybrid-app-securit-2017-2x2.pdf},
isodate = {2016-05-12},
lecturer = {Achim D. Brucker},
location = {Belfast, UK},
month = {may},
slides = {https://www.brucker.ch/bibliography/download/2017/talk-brucker.ea-owasp-hybrid-app-securit-2017.pdf},
slideshare = {key/JYn1hJCN5Sml5a},
slideshare_height = {485},
slideshare_width = {595},
title = {Combining the Security Risks of Native and Web Development: Hybrid Apps},
url = {https://www.brucker.ch/bibliography/abstract/talk-brucker.ea-hybrid-app-security-2017},
video = {https://youtu.be/30yRXk70F7A},
year = {2017},
}