By Mark Kirstein, Senior Director of Enterprise Software, Zebra Technologies.
Although HTML5 cross-platform app development offers the convenience of developing once for deployment across many different platforms, it requires a responsible approach to security vulnerabilities across each platform served. When an exploit is discovered in any of the platforms covered by a cross-platform app development project, it raises concerns for developers. Per the standard software lifecycle, eventually a legacy operating system will become unsupported. For example, Google will no longer provide security patches for vulnerabilities in versions of Android's native WebView prior to KitKat 4.4. Of course, enterprises that rely on equipment using these unpatched legacy systems will still need to seek out some method of support.
Even though it's true that cross-platform app development tools will often offer their own patches to remove vulnerabilities from at-risk equipment components, it's also possible for developers to create applications that take smart precautions against potential and future security vulnerabilities. Mobile app developers should understand as well how to best leverage security features that OEMs provide in enterprise-class devices. With that goal in mind, here are three key tips for developing cross-platform mobile apps in HTML5 that are more secure, even in the face of potential vulnerabilities:
1. Secure Local Data
This can be done by using a cross-platform framework that encapsulates data models or object models within business objects. These objects then manage the local data and provide a layer of security to prevent dangers like SQL injection. You can visualize this by thinking of those data models or object models as your M&Ms, where local data is the soft chocolaty inside to keep safe and business object encapsulation is the tough, outer shell. Which is similar to…
2. Encapsulate Your HTML5 Apps in Native Containers
This gives you the power to control and block non-required services from being accessed, a smart method of shutting down possible avenues for malicious code. Close down these paths that have no reason to be open (for instance, block access to on device contact information or rogue websites trying to phish for data). Having a local web controller or local source files can allow you to manage access needs properly, and avoid security issues such as those associated with cross-domain browsing. Best yet, risks can be mitigated if developers confirm only trusted content by either loading the content from a local source or over HTTPS when needing to connect to a web server.
3. Leverage Open Source Support
Open source distributions outside of the main providers (Google, and so forth) may offer security patches as well. It's not unusual that vibrant communities will rise to the challenge and keep software patched long beyond its official expiration date, working either out of love or from their own business necessities. It pays for developers to be connected to these communities that may also offer modifications and informational support that can prove valuable.
It's imperative that cross-platform developers know how to defend their applications, regardless of a platform's support status—and they can with the right techniques. With appropriate design and support, developers and device OEMs can address potential security vulnerabilities and build applications able to withstand the tests of time.