TY - GEN
T1 - A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services
AU - Hale, Matthew L.
AU - Hanson, Seth
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/8/13
Y1 - 2015/8/13
N2 - Web traffic is increasingly trending towards mobile devices driving developers to tailor web content to small screens and customize web apps using mobile-only capabilities such as geo-location, accelerometers, offline storage, and camera features. Hybrid apps provide a cross-platform, device independent, means for developers to utilize these features. They work by wrapping web-based code, i.e., HTML5, CSS, and JavaScript, in thin native containers that expose device features. This design pattern encourages re-use of existing code, reduces development time, and leverages existing web development talent that doesn't depend on platform specific languages. Despite these advantages, the newness of hybrid apps raises new security challenges associated with integrating code designed for a web browser with features native to a mobile device. This paper explores these security concerns and defines three forms of attack that can specifically target and exploit hybrid apps connected to web services. Contributions of the paper include a high level process for discovering hybrid app attacks and vulnerabilities, definitions of emerging hybrid attack vectors, and a test bed platform for analyzing vulnerabilities. As an evaluation, hybrid attacks are analyzed in the test bed showing that it provides insight into vulnerabilities and helps assess risk.
AB - Web traffic is increasingly trending towards mobile devices driving developers to tailor web content to small screens and customize web apps using mobile-only capabilities such as geo-location, accelerometers, offline storage, and camera features. Hybrid apps provide a cross-platform, device independent, means for developers to utilize these features. They work by wrapping web-based code, i.e., HTML5, CSS, and JavaScript, in thin native containers that expose device features. This design pattern encourages re-use of existing code, reduces development time, and leverages existing web development talent that doesn't depend on platform specific languages. Despite these advantages, the newness of hybrid apps raises new security challenges associated with integrating code designed for a web browser with features native to a mobile device. This paper explores these security concerns and defines three forms of attack that can specifically target and exploit hybrid apps connected to web services. Contributions of the paper include a high level process for discovering hybrid app attacks and vulnerabilities, definitions of emerging hybrid attack vectors, and a test bed platform for analyzing vulnerabilities. As an evaluation, hybrid attacks are analyzed in the test bed showing that it provides insight into vulnerabilities and helps assess risk.
KW - attack vectors
KW - hybrid mobile application
KW - thin native containers
KW - vulnerabilities
KW - web browser
KW - web services
UR - http://www.scopus.com/inward/record.url?scp=84973316244&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84973316244&partnerID=8YFLogxK
U2 - 10.1109/SERVICES.2015.35
DO - 10.1109/SERVICES.2015.35
M3 - Conference contribution
AN - SCOPUS:84973316244
T3 - Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015
SP - 181
EP - 188
BT - Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015
A2 - Bahsoon, Rami
A2 - Zhang, Liang-Jie
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - IEEE World Congress on Services, SERVICES 2015
Y2 - 27 June 2015 through 2 July 2015
ER -