Penetration TestFabian Gold6 min read

Native or Hybrid App - Which is More Secure?

There are numerous aspects to consider when developing apps securely. One of them is whether to choose a native app or a hybrid app.

Table of content

When it comes to developing a mobile app, one of the first questions to decide is whether to go native or hybrid. There are numerous aspects to consider here, but the focus in this post is to look at cyber security.

What is a Native App?

A native app is an app that has been developed to run on a specific platform. Since it is developed for a specific operating system, users can access all device features. Native Android apps are typically written in Java, while iOS apps are written in Objective-C or Swift.

What is a Hybrid App?

A hybrid app is compatible with different platforms and contains elements of both native and web apps. If a hybrid app is developed for iOS, it is easily possible to run it on Android devices as well. The development is based on JavaScript, CSS and HTML web technologies. After the code is created, it is packaged into a native app using cross-platform frameworks like React Native. Although hybrid apps are developed using web technologies, they feel like native apps and provide the same user experience.

General Differences Between Hybrid and Native Apps.

The main differences between native and hybrid apps lie in the development process. Hybrid apps are developed across platforms, while the development of a native app is done only for a specific operating system. Another difference lies in the performance of the app. It is obvious that a hybrid app cannot deliver the same performance as an app tailored to a single platform. Ultimately, the choice of whether native or hybrid app development depends on the goals and priorities of the app.

IT Security Differences

Native apps are generally considered more secure than hybrid apps. On the one hand, this is because native apps have access to platform-specific built-in security features. On the other hand, it's also because hybrid apps, due to their use of WebViews, can be vulnerable to Web-specific attacks. The most common attacks on hybrid apps include JavaScript injection, weak SSL implementation, and caching issues. However, this does not mean that native applications are invulnerable.

What are WebViews?

WebView is an important component for mobile applications. It allows Android and iOS applications to render web content and execute JavaScript code within a mobile application. The focus of WebViews is on usability and simplicity. Retrieving and displaying web content is made possible through a single method call. This means that by using WebViews, an application does not need to be redeveloped and managed for each platform. Moreover, updates to the application are made available immediately without any user interaction, since the content comes from a web server and is only adapted there.

Risks of using WebViews

By providing a direct connection between web content and the operating system, the use of WebViews tears a hole in the security provided by the browser sandbox. Basically, WebViews can be vulnerable to all the attacks that web applications are vulnerable to. However, there are also new types of security risks. For example, if the application has access to the phone's contacts and there is a cross-site scripting vulnerability, it is possible for an attacker to steal the contact information from the victim's device.

Measures to Mitigate the Risks

The easiest way to mitigate the risk is to disallow the use of JavaScript. Enabling JavaScript makes the application vulnerable to cross-site scripting attacks due to improper handling of user input. If JavaScript must be enabled, it is necessary to properly sanitize untrusted input. Furthermore, it is necessary to validate the origin of the content in the WebView. This can be implemented by the shouldOverrideUrlLoading and shouldInterceptRequest methods. Certificate pinning is a measure that prevents communication with an untrusted server. When SSL is used, it only checks whether the server has a valid certificate. However, nowadays it is relatively easy to obtain a valid certificate. Another risk is that the attacker manages to include his certificate in the Android Trust Store. In such a case, the TLS connection is also considered secure. Certificate pinning is a technique that prevents the above-mentioned risk. It is based on "pinning" certificate features directly in the application's source code. When a TLS connection attempt is made, the application can then check whether the server presents the expected ("pinned") certificate. To limit the damage that can be caused once an app is actually exploited, the principle of least privilege should be followed, i.e. in the case of Android, only the necessary permissions should be used. In addition, Android WebView allows you to disable access to local storage via the JavaScript bridge.

Conclusion

In summary, hybrid applications are not more insecure compared to native applications, as long as all security precautions are taken during development. Both types have their advantages and disadvantages. However, more effort is required in the hybrid approach to achieve the same level of security. Especially when using WebViews, it must be considered that this creates new risks. The good news is that modern Android versions have strict default settings regarding WebView. If you stick to these default settings and implement additional security mechanisms, using WebView should be sufficiently secure. However, when changing the default settings, such as enabling JavaScript support or using JavaScript interfaces, one should be very thorough and consider additional security mechanisms.

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: