Hybrid or Native: But what about security?

Author: Sheree Walsh and Stein Welberg

Posted on May 9, 2018

Are native apps more secure than hybrid apps? This one comes up a lot. First-off, Hybrid apps are not necessarily any less secure than their Native counterparts. There are, however, more attack vectors to take into account when it comes to developing Hybrid. We'll take a little look at what makes Hybrid stand out from Native in app development. Moving on, we show you what Hybrid security vulnerabilities to look out for. While some might sway towards Native as the more secure route, we put together a how-to list on keeping your Hybrid platform secure.

Making the case: security comes first 

Mobile strategy is something of a mind-boggler for companies who don’t necessarily have one in place. While web-channels tend to have entire scrum teams dedicated to their development, mobile is often forgotten or skipped due to its complexity when push comes to shove. With that, the security aspect comes last.

We could dedicate hours talking about how one measures up against the other in terms of development advantages, so if you're interested we found Y Media Labs and Checkmarx give a good comparative analysis of Native and Hybrid, but both cast very little light on security. What's more, a report that came out from NodeSource and Sqreen in 2017 stated that 60% of developers lack confidence in their app security (source here). Despite the amount of tools out there that boost code security, it is still a low priority for some development teams. 

is your app's code secure?

Knowing the difference: 

  • Native: Gives the best customer experience, but this comes at a cost of both time and budget. Often seen as the most secure. This is because everything can be coded into the infrastructure of the app, encrypted and obfuscated.  
    • Hybrid: The wrapper gives it almost the same capabilities as Native, at a fraction of the cost. Often seen as less secure. This is because the hybrid container which is essentially a web browser can expose some of the features of the underlying platform. 

Building Hybrid in a Native world

In app development, building Native applications means building an app using the Native language of the platform: Objective-C on iOS, and Java on Android. Native is perceived to give better performance and can be chosen by some companies on the basis of that fact alone, even though it's not easy to build and maintain.

Hybrid is typically chosen for app development as it is easier to develop than Native: it is a web application (or a web page) running in a web container that is managed by the Hybrid platform. To develop Hybrid you use HTML, CSS and JavaScript, these are then wrapped in the Native application using a wrapper like Xamarin or Apache Cordova. At development stage you can address the majority of security vulnerabilities known to affect Hybrid, if you know what to look for.

A Hybrid app always has some Native code (for instance to start a Web container like a WebView). This means that the same security vulnerabilities that apply to Native can also be considered a vulnerability for Hybrid.

 

1.1 Onegini connect mobile

Know what to look out for: Hybrid vulnerabilities

All known web-attacks could potentially be exploited in a Hybrid mobile app. Here are some potential Hybrid vulnerabilities:

  • XSS
  • HTML 5 related vulnerabilities
  • Client HTML5 Information Exposure
  • Client HTML5 Insecure Storage
  • Client HTML5 Store Sensitive data In Web Storage
  • Client HTML5 Heuristic Session Insecure Storage
  • Protecting resources: Stealing and understanding resources (HTML/JS) of a Hybrid app is a bit easier than stealing and understanding Native code (if obfuscation is applied!)
  • Be careful with iFrames.

Hybrid-specific attacks can also occur, as we learned from the Cordova platform which faced security vulnerabilities in the past. A list of those vulnerabilities has been posted on cvedetails.com.

Despite the risks, there are simple measures you can take to make sure that your Hybrid application is secure.  

How to secure your Hybrid:

  • Always update to the latest Hybrid platform version

Updating to the latest Hybrid platform version ensures that potential vulnerabilities in such platforms are fixed and also potential vulnerabilities in the Web container might also have been patched.

Web-based attacks: Take the 'regular precautions’ that are also valid for building a secure web-based application (for more, see the security cheat sheet.

  • XSS (cross-site scripting)
  • Enforce whitelisting of URLs so your app can only communicate with specific URLs
  • Properly encode input (treat all input as unsafe)
  • Fetching resources securely: Make sure that fetching data is going through the Native layer to provide Certificate Pinning or additional encryption on top of SSL. This also ensures proper Certificate Pinning (which is not supported in Cordova by default, for instance)
  • Protecting resources
  • Apply code obfuscation to both the Native and HTML / JS resources
  • Tampering with resources / resource injection
  • Resources fetched from the server must be protected with SSL (and potentially an additional encryption layer)
  • Resource integrity should be checked when fetching a HTML or JS resource from a server before executing (this can be done using an additional encryption layer on top of SSL)
  • The regular Native security measures such as jailbreak / debug detection must be applied
  • Carefully choose the WebView that you want to use in your Hybrid application. For example, Cordova supports different WebViews which might offer better security compared to the default WebView especially on older devices
  • If external resources must be fetched which are not under your full control use an InAppBrowser (On Cordova: cordova-plugin-inappbrowser). This ensures a different instance of the WebView which doesn't have access to the Cordova APIs

Conclusion

In essence, Hybrid does not lose the race against Native when it comes to app development. There are pros and cons for both when it comes to security. This is because of any number of things that could potentially go wrong. Essentially, there is more work involved in securing your Hybrid, but just as much is involved in maintaining Native.

At the point of development, provided you've considered the points above, you will probably find that a Hybrid application can have just the same security as a Native application. 

Onegini's got you covered

Onegini’s security platform has already anticipated the vulnerabilities presented by Hybrid application development. At Onegini we have already implemented these into our solution. By using the Onegini CIAM platform you can rest assured that your security concerns can become a thing of the past.

For more information, talk to us today and find out what we can do to revolutionize your mobile platform.

Find it a bit too complex?

A true answer on Hybrid vs Native can be a tough and impactful decision. It never hurts to ask for a second opinion. Get in touch.