Fracking With Hybrid Mobile Applications
-
Dave Hartley - 12 Jun 2014
Download the presentation here.
On June 7th 2014 Dave Hartley presented “Fracking With Hybrid Mobile Applications” at BSides Cape Town.
The talk provides information on how hybrid applications work (under the hood) on common mobile platforms (e.g. Android, iOS, Windows Phone and Blackberry), presents an overview of the attack surface, highlights weaknesses in commonly deployed defences and discusses how attackers can compromise hybrid applications.
Hybrid mobile applications combine the features of web applications and “native” mobile applications using cross platform languages such as HTML and JavaScript. Hybrid applications are usually developed using application frameworks such as PhoneGap. The frameworks and/or development approach provides an embedded web browser (WebView) that executes the application’s web code (HTML/JavaScript) and provides a “bridge” that allows the web code to access local resources on the device. There are a number of pros and cons to this approach, from both a technical and business perspective. There are a number of security considerations for developers, testers and the business to fully understand before the approach can be utilised and/or the applications assessed.