I have recently written how anyone using app creating tools based on WebViews or using WebViews in their app needs to be aware of security vulnerabilities. Taking this further, there has been a recent presentation at BlackHat Asia 15 on ‘The nightmare behind the cross platform mobile apps dream‘.
The problem with cross platform is that it provides a uniform environment that offers up a large number of apps that can be hacked in the same way and, as it turns out, can also be more easily hacked. The presentation gives some sobering problems with Cordova, Adobe AIR and Titanium. For example, Adobe AIR’s EncryptedStorage API doesn’t do much and only stores data as Base64 encoded. Titanium’s default https is broken, doesn’t validate the SSL certificate and hence is vulnerable to Man in the Middle (MiTM) attacks.
If you are using cross platform tools then you are passing some responsibility for security to the framework. I am beginning to think platform tools are actually less suitable for Enterprise because that’s where there are usually increased security concerns.