A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services

Matthew L Hale, Seth Hanson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Citations (Scopus)

Abstract

Web traffic is increasingly trending towards mobile devices driving developers to tailor web content to small screens and customize web apps using mobile-only capabilities such as geo-location, accelerometers, offline storage, and camera features. Hybrid apps provide a cross-platform, device independent, means for developers to utilize these features. They work by wrapping web-based code, i.e., HTML5, CSS, and JavaScript, in thin native containers that expose device features. This design pattern encourages re-use of existing code, reduces development time, and leverages existing web development talent that doesn't depend on platform specific languages. Despite these advantages, the newness of hybrid apps raises new security challenges associated with integrating code designed for a web browser with features native to a mobile device. This paper explores these security concerns and defines three forms of attack that can specifically target and exploit hybrid apps connected to web services. Contributions of the paper include a high level process for discovering hybrid app attacks and vulnerabilities, definitions of emerging hybrid attack vectors, and a test bed platform for analyzing vulnerabilities. As an evaluation, hybrid attacks are analyzed in the test bed showing that it provides insight into vulnerabilities and helps assess risk.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE World Congress on Services, SERVICES 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages181-188
Number of pages8
ISBN (Electronic)9781467372756
DOIs
StatePublished - Aug 13 2015
EventIEEE World Congress on Services, SERVICES 2015 - New York, United States
Duration: Jun 27 2015Jul 2 2015

Other

OtherIEEE World Congress on Services, SERVICES 2015
CountryUnited States
CityNew York
Period6/27/157/2/15

Fingerprint

Testbeds
Application programs
Web services
Mobile devices
Web browsers
Accelerometers
Telecommunication traffic
World Wide Web
Containers
Cameras

Keywords

  • attack vectors
  • hybrid mobile application
  • thin native containers
  • vulnerabilities
  • web browser
  • web services

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications

Cite this

Hale, M. L., & Hanson, S. (2015). A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services. In Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015 (pp. 181-188). [7196523] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SERVICES.2015.35

A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services. / Hale, Matthew L; Hanson, Seth.

Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015. Institute of Electrical and Electronics Engineers Inc., 2015. p. 181-188 7196523.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Hale, ML & Hanson, S 2015, A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services. in Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015., 7196523, Institute of Electrical and Electronics Engineers Inc., pp. 181-188, IEEE World Congress on Services, SERVICES 2015, New York, United States, 6/27/15. https://doi.org/10.1109/SERVICES.2015.35
Hale ML, Hanson S. A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services. In Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015. Institute of Electrical and Electronics Engineers Inc. 2015. p. 181-188. 7196523 https://doi.org/10.1109/SERVICES.2015.35
Hale, Matthew L ; Hanson, Seth. / A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services. Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015. Institute of Electrical and Electronics Engineers Inc., 2015. pp. 181-188
@inproceedings{9f2d9e4c0aab42318d2c2047921ac411,
title = "A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services",
abstract = "Web traffic is increasingly trending towards mobile devices driving developers to tailor web content to small screens and customize web apps using mobile-only capabilities such as geo-location, accelerometers, offline storage, and camera features. Hybrid apps provide a cross-platform, device independent, means for developers to utilize these features. They work by wrapping web-based code, i.e., HTML5, CSS, and JavaScript, in thin native containers that expose device features. This design pattern encourages re-use of existing code, reduces development time, and leverages existing web development talent that doesn't depend on platform specific languages. Despite these advantages, the newness of hybrid apps raises new security challenges associated with integrating code designed for a web browser with features native to a mobile device. This paper explores these security concerns and defines three forms of attack that can specifically target and exploit hybrid apps connected to web services. Contributions of the paper include a high level process for discovering hybrid app attacks and vulnerabilities, definitions of emerging hybrid attack vectors, and a test bed platform for analyzing vulnerabilities. As an evaluation, hybrid attacks are analyzed in the test bed showing that it provides insight into vulnerabilities and helps assess risk.",
keywords = "attack vectors, hybrid mobile application, thin native containers, vulnerabilities, web browser, web services",
author = "Hale, {Matthew L} and Seth Hanson",
year = "2015",
month = "8",
day = "13",
doi = "10.1109/SERVICES.2015.35",
language = "English (US)",
pages = "181--188",
booktitle = "Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
address = "United States",

}

TY - GEN

T1 - A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services

AU - Hale, Matthew L

AU - Hanson, Seth

PY - 2015/8/13

Y1 - 2015/8/13

N2 - Web traffic is increasingly trending towards mobile devices driving developers to tailor web content to small screens and customize web apps using mobile-only capabilities such as geo-location, accelerometers, offline storage, and camera features. Hybrid apps provide a cross-platform, device independent, means for developers to utilize these features. They work by wrapping web-based code, i.e., HTML5, CSS, and JavaScript, in thin native containers that expose device features. This design pattern encourages re-use of existing code, reduces development time, and leverages existing web development talent that doesn't depend on platform specific languages. Despite these advantages, the newness of hybrid apps raises new security challenges associated with integrating code designed for a web browser with features native to a mobile device. This paper explores these security concerns and defines three forms of attack that can specifically target and exploit hybrid apps connected to web services. Contributions of the paper include a high level process for discovering hybrid app attacks and vulnerabilities, definitions of emerging hybrid attack vectors, and a test bed platform for analyzing vulnerabilities. As an evaluation, hybrid attacks are analyzed in the test bed showing that it provides insight into vulnerabilities and helps assess risk.

AB - Web traffic is increasingly trending towards mobile devices driving developers to tailor web content to small screens and customize web apps using mobile-only capabilities such as geo-location, accelerometers, offline storage, and camera features. Hybrid apps provide a cross-platform, device independent, means for developers to utilize these features. They work by wrapping web-based code, i.e., HTML5, CSS, and JavaScript, in thin native containers that expose device features. This design pattern encourages re-use of existing code, reduces development time, and leverages existing web development talent that doesn't depend on platform specific languages. Despite these advantages, the newness of hybrid apps raises new security challenges associated with integrating code designed for a web browser with features native to a mobile device. This paper explores these security concerns and defines three forms of attack that can specifically target and exploit hybrid apps connected to web services. Contributions of the paper include a high level process for discovering hybrid app attacks and vulnerabilities, definitions of emerging hybrid attack vectors, and a test bed platform for analyzing vulnerabilities. As an evaluation, hybrid attacks are analyzed in the test bed showing that it provides insight into vulnerabilities and helps assess risk.

KW - attack vectors

KW - hybrid mobile application

KW - thin native containers

KW - vulnerabilities

KW - web browser

KW - web services

UR - http://www.scopus.com/inward/record.url?scp=84973316244&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84973316244&partnerID=8YFLogxK

U2 - 10.1109/SERVICES.2015.35

DO - 10.1109/SERVICES.2015.35

M3 - Conference contribution

SP - 181

EP - 188

BT - Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015

PB - Institute of Electrical and Electronics Engineers Inc.

ER -