Combining Security Risks of Native and Web Development in Hybrid Apps - AppSec EU 2017

Explore the security risks and best practices for developing hybrid mobile apps in this 37-minute conference talk from AppSec EU 2017. Delve into the architecture of Apache Cordova and learn about specific attacks targeting hybrid apps. Discover how Android developers are utilizing Apache Cordova in real-world scenarios. Gain hands-on guidelines for defensive programming and recommendations for hybrid app-specific security testing strategies. Examine weak spots in the JavaScript to Java bridge and understand the importance of using SSL. Learn about considerations for static and dynamic analysis, and receive practical recommendations for securing hybrid apps. Equip yourself with the knowledge to combine native and web development securely in the evolving landscape of cross-platform mobile app development.

Syllabus

Intro
Hybrid mobile apps
The architecture of Apache Cordova
Example app
One framework, many names
Cordova in the real world
What we have learned: plugin use
Why is it hard to the the security of hybrid apps
Example: Get Phone Number
Weak spot: JS Java bridge
Exploiting the JavaScript to Java bridge (CVE-2013-4710)
Never use http without SSL, or even iframes! Device
Recommendations: the (hopefully) obvious parts
Recommendations: we should not forget
Did you know
Recommendation: use the latest framework version
If you are using static analysis: Considerations
If you are using static analysis: Recommendations
If you are using dynamic analysis (e... pen testing)
Conclusion