A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services

Matthew L. Hale, Seth Hanson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Scopus citations

Abstract

Web traffic is increasingly trending towards mobile devices driving developers to tailor web content to small screens and customize web apps using mobile-only capabilities such as geo-location, accelerometers, offline storage, and camera features. Hybrid apps provide a cross-platform, device independent, means for developers to utilize these features. They work by wrapping web-based code, i.e., HTML5, CSS, and JavaScript, in thin native containers that expose device features. This design pattern encourages re-use of existing code, reduces development time, and leverages existing web development talent that doesn't depend on platform specific languages. Despite these advantages, the newness of hybrid apps raises new security challenges associated with integrating code designed for a web browser with features native to a mobile device. This paper explores these security concerns and defines three forms of attack that can specifically target and exploit hybrid apps connected to web services. Contributions of the paper include a high level process for discovering hybrid app attacks and vulnerabilities, definitions of emerging hybrid attack vectors, and a test bed platform for analyzing vulnerabilities. As an evaluation, hybrid attacks are analyzed in the test bed showing that it provides insight into vulnerabilities and helps assess risk.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE World Congress on Services, SERVICES 2015
EditorsRami Bahsoon, Liang-Jie Zhang
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages181-188
Number of pages8
ISBN (Electronic)9781467372756
DOIs
Publication statusPublished - Aug 13 2015
EventIEEE World Congress on Services, SERVICES 2015 - New York, United States
Duration: Jun 27 2015Jul 2 2015

Publication series

NameProceedings - 2015 IEEE World Congress on Services, SERVICES 2015

Other

OtherIEEE World Congress on Services, SERVICES 2015
CountryUnited States
CityNew York
Period6/27/157/2/15

    Fingerprint

Keywords

  • attack vectors
  • hybrid mobile application
  • thin native containers
  • vulnerabilities
  • web browser
  • web services

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications

Cite this

Hale, M. L., & Hanson, S. (2015). A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services. In R. Bahsoon, & L-J. Zhang (Eds.), Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015 (pp. 181-188). [7196523] (Proceedings - 2015 IEEE World Congress on Services, SERVICES 2015). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SERVICES.2015.35