The mobile Web has seen a big leap forward, driven by the rising popularity of smartphones and tablets, and the increasing speed of mobile networking technology. Contemporary Web applications offer alternative versions of their content, tailored specifically towards mobile devices. Popular features are aimed at mobile users, with location-based services as a prime example. Under the hood, numerous new technologies have been proposed and implemented to accommodate mobile applications. Examples are the Mobile CSS specification, the Geolocation API, support for accessing native device features, and enabling the offline use of Web applications.
However, the mobile Web is more than merely this version of the Web tailored towards users of mobile devices. The use of mobile apps, prepackaged applications that enhance the functionality of a mobile device, has pushed the use of the mobile Web even further. At the beginning of 2014, U.S. users spent more time accessing the Web using mobile apps than traditional PCs. A breakdown of these results show that 47% of Internet usage came from mobile apps, 8% from mobile browsers, and 45% from PCs.
Development frameworks are available to package the app’s codebase into a platform-specific app, which can be installed by users. In the second approach, developers build a native app for the mobile platform but have the capability to incorporate a component capable of rendering Web content. Commonly encountered use cases are the integration of advertisements in a mobile app, or the rendering of user documentation. The advantage of this approach lies in the combination between native code and Web content, where the former is typically faster, and the latter platform-independent and widely available. The security model of mobile apps differs slightly between the different mobile operating systems that are available, but generally speaking, mobile apps are fully isolated from one another.
A restricted communication mechanism is available to enable inter-app communication, such as the inter-process communication mechanism on Android. Apps are confined within their runtime environment but can access APIs and system features by requesting explicit permissions from the user. While this security model offers certain basic guarantees, it does not prevent traditional Web security problems, which have been covered extensively in the previous chapters, from propagating to mobile apps. This phenomenon is aptly illustrated by the OWASP Top Ten Mobile Risks, where numerous similarities with the Top Ten for Web applications can be observed. Even worse, since mobile apps tend to have access to numerous device-specific features, such as sending text messages and making phone calls, and a lot of user-related data, such as contact information, the consequences of an attack can stretch far beyond the boundaries of the app under attack.
Web technologies are a fundamental building block of mobile apps and are likely to remain so for the foreseeable future. Therefore, it is crucial to invest in the security of these platforms, both in research and in the state of practice. For example, a recent study has uncovered security flaws in WebView technology, a platform-specific component used to display Web pages on Android and iOS. One class of attacks allows a malicious app to attack a Web page loaded in a WebView container, for example, a malicious app targeting the Facebook Web application. The second class of attacks consists of a non-malicious application being attacked by a malicious page loaded in a WebView container, for example, an application showing a malicious advertisement. Other noteworthy research results include a detection tool for these WebView vulnerabilities, a study on unauthorized origin crossing on mobile platforms, and an analysis of unsafe and malicious dynamic code loading practices in Android apps.