June 23, 2014

HTML5 Apps Could Threaten Business Security

The new Web standard HTML5 is not only changing the face of websites, it is changing the nature of how entire business platforms operate. Service providers are creating entire suites that run primarily in the new Web protocol or at least support such apps that do.

A notable recent example is the up-and-coming Tizen operating system. Samsung (NewsAlert) is pushing that software—which uses HTM5-based apps—to reportedly break away from Android (NewsAlert), and so it might. This may be good news for Samsung and others wishing to follow in its footsteps, but the prospect of an HTML5-centric world may not be entirely good news for businesses.

According to a recent blog post as CSO Online, university researchers have found that HTML5-based mobile apps could present a security hazard to businesses that use them. Specifically, researchers at Syracuse University presented information at the Mobile Security Technologies Conference last month in San Jose. Developer error could allow malicious users to send unwanted code into servers through wireless connections or through text messages.

Image via Shutterstock

It is the mix of HTML, cascading style sheets, and Javascript present within the apps that can cause these problems. Developers need to be aware of the specific APIs they use to build their apps. The Syracuse researchers demonstrated that, by using the wrong kind of API, a user could send information to a Javascript engine that the engine could easily execute. This could present a serious problem for users, the researchers said, who just want to use an app for information processing but who do not want to automatically execute code.

This sort of threat is not necessarily new. The threats the researchers describe include threats that have been present for many years on the Internet and that Web browser execution makes possible. The changing factor here is that many businesses could potentially use the HTML5 apps with the expectation that they are more secure than the browsers they traditionally use.

Businesses that do not reign in their apps, browsers could open to serious security risks. Apps often work across platforms, and as such they need to use middleware to access different device files and systems. The major mobile operating systems have different containers that allow apps to access these files, and they have different ways of limiting each app's access to sensitive files.

If businesses are going to endorse HTML5 apps that may have access to sensitive information, they will need to consider who has made the apps and be sure that they built the apps securely and with the correct APIs. Businesses can take steps to make themselves less vulnerable, and being aware of the threat that HTML5 apps can pose is an important start.

The CSO Online post made no specific recommendations for dealing with malicious apps. It only mentioned the broad advice of Bogdan Botezatu, senior e-threat analyst for Bitdefender.

"An HTML5-based app is no different from a web-based application and the same security measures should apply to both," Botezatu said.

Want to know more? Hear from a distinguished group of globally recognized authorities on everything from gaming, to responsive design to hybrid development at DEVCON 5 July 9-10 at the Kimmel Center at NYU. 

Edited by Maurice Nagle


HTML 5 Demos and Examples

HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

The HTML5 test

How well does your browser support HTML5?... Learn More

Working Draft (WHATWG)

This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

HTML5 Flip Book

Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More