Amit Ashbel, cyber-security evangelist, Checkmarx
Amit Ashbel, cyber-security evangelist, Checkmarx

We're living in a world where technology is increasingly part of our everyday lives. Unfortunately, despite the advantages that all of this new technology offers, it also comes with risk. Although there is research to suggest that developers are becoming more security conscious, applications are still being developed without security in mind. 

According to recent research from Ofcom's Tech Tracker, 71 percent of UK adults had a smartphone last year. Meanwhile even though the general feeling among researchers and analysts is that IoT devices will amount to approximately 30 billion by 2020 rather than the earlier predicted 50 billion, 30 billion is still a lot of connected devices. And just looking at the App Store at the beginning of this year, there were 2.2 million downloadable applications. As applications present such a large surface area for potential attacks, it's essential that organisations understand the context of application development and the differences between native and hybrid mobile development. 

Research from Palo Alto Networks in March this year revealed that 132 apps on Google Play were infected but this is only the most recent research about infected applications; it's a regular occurrence for infected apps to be found and removed from the store by Google, especially Android apps. 

It's not altogether surprising that applications are not always secure. Traditionally, developers have been measured on how quickly they can code rather than on how securely.  This is largely down to today's competitive marketplace where organisations are under increasing pressure to get applications to market as quickly as possible. Because of this, security hasn't always been a priority, and even when bugs or vulnerabilities are eventually found by testing at the end of the development process, organisations sometimes only have time to fix one or the other and often choose to fix the bugs to improve user experience rather than the vulnerabilities that would make the application more secure. 

However, now there is at least more recognition of the security threats from mobile and IoT applications. According to the Ponemon 2017 study on Mobile and Internet of Things Application Security, 79 percent of respondents said the use of mobile applications increased the security risk drastically while 75 percent said IoT applications did.  In addition, new research from Sonatype suggested that development teams are becoming more security focused with 42 percent of mature DevOps organisations performing application security analysis at every stage of the software development life cycle (SDLC) and 58 percent of DevOps teams having automated security as part of Continuous Integration (CI) practices. Things are moving in the right direction. 

But the threats from mobile applications cannot be ignored and of course developers need to code securely but they also need to choose wisely whether to opt for native applications built using the development tools and language specific to the operating system (iOS, Android etc), or hybrid applications constructed from HTML5 embedded in a native container. Of course, there are many advantages and disadvantages to each as well as security implications which the developers need to consider.  

Native applications will generally have a better user experience, not least because they perform as users expect, but developing a native app also gives the developer better access to features such as the camera, microphone etc which are built into the platform functionality. Native apps are also more likely to be promoted as Editor's choice as they are looking to promote the apps with the latest OS features which will only be available through the native platform. However, native development requires developers to know or learn highly specific languages, which is only applicable to one platform and needs to be entirely re-written to work on another native platform, so double the resource is required. Hybrid applications are simpler and quicker to develop because they can use known languages and it's a relative one-size-fits-all in comparison to native development but generally, it cannot compete with the user experience of native applications. 

In general, native applications are considered more secure than hybrid as they are able to leverage the built-in security features specific to each platform but there are still threats. Some of the common threats for native apps include insecure local data storage, weak SSL implementation, unintended data leaks, and code injection. For the Android platform, the applications could store sensitive information in the phone's local data storage that could be exploited by attackers putting a shell on the device, or by making a back-up of the application. Attackers can use similar methods on iOS applications if the phone is jailbroken. 

Hybrid applications can have vulnerabilities due to poorly written code. Common threats include JavaScript injection, weak SSL implementation just like the native apps, and caching issues. Because hybrid applications work on web views, the applications can be left open to the same exploits of bad code in regular JavaScript or HTLM languages. In addition, hybrid apps are also susceptible to reverse engineering and man-in-the-middle attacks. 

There is no doubt that people's lives are becoming more connected to technology and thus vulnerable to the risks that presents to their personal information but when it comes to applications in particular, making the right decisions and writing code with security in mind, will go a long way towards protecting people and organisations in this new world. 

Contributed by Amit Ashbel, cyber-security evangelist, Checkmarx

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.