Mobile devices have exploded in our modern world. And with the explosion have come implications. Business can be conducted anywhere now, and high-value documents and data can easily be read and shared on the go. While this may be great for productivity levels and greater flexibility, security risks only seem to increase as more cell phones and tablets hit the marketplace.
The customers who use our mobile apps aren’t necessarily thinking about security as they use their phones to do any number of things – and it’s on us if our applications are hit by hackers. Each mobile operating system (OS) comes with its own security risks, and developing secure applications for different platforms, written (and secured) in the appropriate language for the platform, can get tricky.
In response to the various complications brought about by developing the same application for (very) different mobile platforms, there’s been a move towards converging to a single platform. One of these solutions is PhoneGap. And while it solves a few big problems, it also comes with security issues of its own. Let’s take a look.
What is PhoneGap and Why Would I Use It?
The beauty of the Phonegap framework and underlying Cordova software is that it allows developers to write code for only one app, then have it compiled for use on all the above platforms once it’s written. It also allows developers who don’t know the intricacies of Java, Objective C, or other mobile programming languages, to still be able to create apps for use on mobile platforms. [Check out a list of PhoneGap apps here.]
In short, developing apps for multiple operating systems using a single framework offers developers a much more simplistic way of writing apps. It can also be much cheaper if you’re planning on developing your apps for more than one mobile OS. And the technology is catching on, with thousands of apps built and over 400,000 developers using the PhoneGap platform.
How Does PhoneGap Work?
PhoneGap uses web technology to help bridge the gap between mobile and web.
Communicating with each OS, PhoneGap uses different APIs (built by PhoneGap) and plugins (both native and custom), which act as the bridge between each platform’s native language and the PhoneGap script. Out of the box, PhoneGap comes with APIs for Camera, Contacts, Compass, Media, FileSystem and more. Plugins extend those functionalities not accessible with the available APIs.
For a deeper look at PhoneGap, check out this great post on the PhoneGap blog that explains the platform visually.
What make XSS exponentially more dangerous in mobile apps is that an attack using an XSS vulnerability can steal your users contacts, the content of users text messages, the notes stored on users’ phones, and more. To see a good example of what kind of damage a cross-site scripting vulnerability, check out Nerdy Beardo’s POC, where he was able to steal all (his own) phone contacts as well as take a picture and send both to a third-party – easily.
How to Fix:
One of the most common worries about PhoneGap insecurity is the fact that much of your data is stored locally on the user’s device by default. Anyone with access to your app also has access to your source code. If your code isn’t secure, you’re setting yourself up for any number of malicious attacks left open through vulnerabilities in your code. Anything from reverse engineering and app spoofing to theft of data can happen if you’re not careful in protecting your high-value data.
How to Fix:
A client side language has it’s pros, but it also comes with various security implications – especially when it’s being executed where it’s not ‘natural’ to do so. Client-side apps, including the ones written for PhoneGap, normally allow anyone to see, modify and send the code under the surface. That makes paying attention to escaping each input and treating all input as evil especially important when developing PhoneGap applications.
A study performed by Syracuse University researchers found that out of 764 free Android apps built on the PhoneGap platform, eleven were vulnerable to code injection, and they successfully attacked two of them. While that’s not a significant percentage of vulnerable apps, it’s something to pay close attention to as use of the PhoneGap platform expands.
How to Fix:
In Android applications especially, developers need to be aware of the permissions they’re asking users to grant them.
With PhoneGap’s standard plugins, 16 permissions are requested by default. Each of these permissions adds an additional origin of attack. Should a user be hit by an XSS attack using your app, you can at least minimize the risk of total device takeover by limiting the permissions only essential to your app’s functionality.
How to Fix:
So – Is PhoneGap Less Secure Than Other Platforms?
In short, the answer is no. Out-of-the-box, PhoneGap may come with security issues that need to be addressed, mostly because of how new the platform is, but they’re quickly working out the kinks.
The cause of most vulnerabilities comes down to a lack of knowledge regarding what secure code looks like, as well as what issues to watch out for. With a bit of work and some hacks of your own, it is possible to release secure PhoneGap applications. What it really boils down to is in making the conscious decision to submitting your code to whatever testing and changes that are necessary.
Discussion: What struggles have you had securing your PhoneGap applications?
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.