Why hybrid apps deserve a better application security as native apps
Because lets face it, hybrid applications are not as secure as you want them to
Hybrid application development has been an alternative to native application development since the Apache Callback which then renamed to Apache Cordova came as a solution to fragmentation of native development approach. The rise of hybrid application development approach which was started by Apache Cordova then followed by the Telerik’s NativeScript, Xamarin and other players opened up a new paradigm of application development, but everyone lacks security amongst them. Although it solved the fragmentation problem, security is still in question when it comes to securing the hybrid applications.
In hybrid application approach, there are two sections where the security needs to play its role. Considering the case of web-rendered hybrid applications, the two sections
- Native
- Web
The native section of the hybrid app includes the native OS API implementation, and the rendering engine APIs. The access between the HTML app rendered by the rendering engine accesses native APIs by a bridge implementation of the rendering engine, which could be a legacy implementation as per the standards or by a custom bridge implementation, like in case of Apache Cordova, it is CordovaPlugin implementation.
The other is web section, where the web related APIs are executed which are governed totally by the webview runtime chosen by the rendering engine.
In both sections, the security is the responsibility of the developer. The list of measures can be found on the OWASP project site.
Native development approach gets its own layer of security provided by the application security vendors which target specific platforms to provide a better control over the runtime of the application assisted by the operating system runtime classes & the programming language runtime whereas hybrid applications have no such advantages as such. The runtime (which is WebView in case of Web rendered apps) is very restricted when it comes to applying security layers around it. Even though if it is possible, the developer has to spend extra time over the securing of the application, which beats the point of rapid application development. Even though hybrid application development is seen as to serve the purpose of conceptual representation of native applications, if secured properly, hybrid apps can serve a better purpose and stability as native applications do.
On programming level, everyone finds a problem from performance point of view, with its “class-less” language, Javascript (Although ES6 & Typescript are trying to bring OOP via transpilation), rendering, user experience when it comes to hybrid application development. The WebViews are catching up on the performance as the WebView components are being regularly updated by the vendors to bring better performance and support to new standards of Web.
The tilt towards hybrid application approach is proven by the statistics over the years of concept inception in the market where companies want to bring uniform user experience and cut down on the cost involving legacy development approach but the hybrid approach has failed to gain the confidence to allow to secure the internals as per the developer wants.
Hybrid applications are seen as “second class” citizens when it comes to application development approach, but application security has to be equal to every approach of development.
The best part of hybrid application development is that the entire application ecosystem is based on standards. The projects are open sourced right from the runtimes to practices, which allow the developers to take the “high road” of developing the platform as the developers want. But looking at the efforts to secure it, the developers find it better to go for native solution which in itself a monstrous task to secure with a catch of better performance of the app, if going native. Either the developers need to spend time or money to secure it either by themselves or by going to mobile application security vendors, respectively.
Everything is in place, the OWASP have listed the attack vectors on web applications & mobile applications, some operating system specifically allow us to add layers to mitigate the attacks to a certain level. All we need a push towards adding some more research in finding possible attacks on the application.
We believe that any developer, be it a lone developer or an organization, deserves a common security solution to protect its intellectual property for itself or the clients for whom they develop applications. The efforts need to be marginalized in terms of finance in returns of better application security at an affordable cost, in the world where privacy is the prime issue for the users.
We see freedom of hybrid application development which needs to be protected from its own inabilities to protect itself and see a rise in practice of hybrid development, where it shall become more secure than “first-class” 100% native applications.
