Default Banner

Securing hybrid mobile applications

Securing hybrid mobile applications

When it comes to mobile application security, almost every developer thinks that native applications are more secure than hybrid applications.

It is true that there is more to take into account to mitigate the risks with native applications, but this does not necessarily stand if all the countermeasures are in place when it comes to developing hybrid applications.

With hybrid app development, the developer needs to know what vulnerabilities to look out for. Hybrid applications use web development technologies such as HTML, CSS and JavaScript. This means that all security measures that are applied when developing for web can also be applied in hybrid development. Some other security measures have to be taken on board depending on the hybrid framework being used to wrap the code of the mobile application.

There are two types of security in mobile application development: server side and client side. Server side security will be the same for hybrid and native, irrelevant of the development approach. However, in client side security there is a difference, since native development approach has its own layer of security, which is provided by the vendor for each available platform. For hybrid applications, the developer has to apply an extra layer of security to help mitigate the risk of attackers on the mobile application. Below is a list of measures that will help to mitigate the risk of attacks.

  • Keeping up to date with the latest framework and plugins version. From time to time, vulnerabilities are found also in the framework and plugins used when building the mobile application. Therefore, developers need to make sure that they are using the latest stable version when it comes to framework and plugins. This will ensure safety with all the known risks to date.
  • Cross-site scripting. This is one of the most common vulnerabilities found in web and hybrid development and as a constant risk, every developer needs to implement a counter measure so an attacker is not able to inject client side scripts.
  • URLs whitelisting. When developing a hybrid app, each developer will know the specific URLs that the app will communicate with. Whitelisting only these URLs will help, so the app is only allowed to communicate with the URLs specified.
  • Input encoding. When the application gives the possibility of inputting data, attackers can always try to inject malicious content that can harm the application’s server side. Each input has to be treated as important and an encoding mechanism should be applied to diminish such risks.
  • Communication with server. When the mobile application is communicating with the server, it is important to always make use of SSL (Secure Sockets Layer). This is the standard technology being used to date to keep connections secure between two systems. When communicating with the server, important data is being sent to and received by the application, therefore it is important to always use SSL.
  • Code obfuscation. Applying code obfuscation is an ideal practice when developing a hybrid application. If the code is stolen and easy to read, it will be easier for an invader to attempt malicious attacks on the application. Code obfuscation will make it harder for attackers to reverse engineer the application.

In essence, if all the security measures are applied when developing a hybrid application, hybrid apps are not at risk of losing the security race when compared with native applications. When it comes to security, both have their pros and cons. It is true that there is more work involved to secure an application when going with a hybrid approach but overall the same security standard as a native app can be achieved.

Clayton James is a software developer at Deloitte Digital. For more info, please visit