Cross Platform Tools and Security

blackhatasia15If you follow this site you will know I am not a great fan of cross platform tools. They tend to sacrifice performance and ‘look and feel’ for faster development. In cases where you can refine the look and feel, it usually becomes increasingly difficult to get screens with the correct UI idioms because most tools are based on generating html/javascript. Enterprise apps seem to be the most suitable use for cross platform tools as the look and feel of the UI tends to be less important. However, is this true?

I have recently written how anyone using app creating tools based on WebViews or using WebViews in their app needs to be aware of security vulnerabilities. Taking this further, there has been a recent presentation at BlackHat Asia 15 on ‘The nightmare behind the cross platform mobile apps dream‘.

The problem with cross platform is that it provides a uniform environment that offers up a large number of apps that can be hacked in the same way and, as it turns out, can also be more easily hacked. The presentation gives some sobering problems with Cordova, Adobe AIR and Titanium. For example, Adobe AIR’s EncryptedStorage API doesn’t do much and only stores data as Base64 encoded. Titanium’s default https is broken, doesn’t validate the SSL certificate and hence is vulnerable to Man in the Middle (MiTM) attacks.

If you are using cross platform tools then you are passing some responsibility for security to the framework. I am beginning to think platform tools are actually less suitable for Enterprise because that’s where there are usually increased security concerns.