Mobile strategy is something of a mind-boggler for companies who don’t necessarily have one in place. While web-channels tend to have entire scrum teams dedicated to their development, mobile is often forgotten or skipped due to its complexity when push comes to shove. With that, the security aspect comes last.
We could dedicate hours talking about how one measures up against the other in terms of development advantages, so if you're interested we found Y Media Labs and Checkmarx give a good comparative analysis of Native and Hybrid, but both cast very little light on security. What's more, a report that came out from NodeSource and Sqreen in 2017 stated that 60% of developers lack confidence in their app security (source here). Despite the amount of tools out there that boost code security, it is still a low priority for some development teams.
In app development, building Native applications means building an app using the Native language of the platform: Objective-C on iOS, and Java on Android. Native is perceived to give better performance and can be chosen by some companies on the basis of that fact alone, even though it's not easy to build and maintain.
A Hybrid app always has some Native code (for instance to start a Web container like a WebView). This means that the same security vulnerabilities that apply to Native can also be considered a vulnerability for Hybrid.
All known web-attacks could potentially be exploited in a Hybrid mobile app. Here are some potential Hybrid vulnerabilities:
Hybrid-specific attacks can also occur, as we learned from the Cordova platform which faced security vulnerabilities in the past. A list of those vulnerabilities has been posted on cvedetails.com.
Despite the risks, there are simple measures you can take to make sure that your Hybrid application is secure.
Updating to the latest Hybrid platform version ensures that potential vulnerabilities in such platforms are fixed and also potential vulnerabilities in the Web container might also have been patched.
Web-based attacks: Take the 'regular precautions’ that are also valid for building a secure web-based application (for more, see the security cheat sheet.
In essence, Hybrid does not lose the race against Native when it comes to app development. There are pros and cons for both when it comes to security. This is because of any number of things that could potentially go wrong. Essentially, there is more work involved in securing your Hybrid, but just as much is involved in maintaining Native.
At the point of development, provided you've considered the points above, you will probably find that a Hybrid application can have just the same security as a Native application.
Onegini’s security platform has already anticipated the vulnerabilities presented by Hybrid application development. At Onegini we have already implemented these into our solution. By using the Onegini CIAM platform you can rest assured that your security concerns can become a thing of the past.
For more information, talk to us today and find out what we can do to revolutionize your mobile platform.
A true answer on Hybrid vs Native can be a tough and impactful decision. It never hurts to ask for a second opinion. Get in touch.