Development benefits, and security risks, of HTML5 'hybrid' mobile apps

Hybrid apps act like native apps; but they can also act like bad apps

So-called hybrid mobile apps are a way to finesse the debate over whether native apps, written in a given language for a specific OS, or web apps, written in HTML5, CSS and Javascript, are best.

A pair of well-written blogposts, neither of which are intended as a programmers' tutorial, highlight the emerging opportunities, and risks, of hybrid mobile apps.

Conceptually, the idea is that hybrid apps let developers, and enterprises, combine the best of both worlds. But, as in every such combination, there are tradeoffs. One big one is the new, and sometimes not-so-new security vulnerabilities that mobile web apps introduce.

Making the case for hybrid app development in a recent Venturebeat blogpost   is Ron Perry, the CTO for Worklight, which offers an application platform for building native, HTML5 and hybrid mobile apps.

Perry's basic point is simple: "Hybrid app development employs native capabilities while also serving as a strategic stepping stone towards adoption of HTML5."

Perry defines a hybrid app as a "native, downloadable app, that runs all or some of its user interface in an embedded browser component." Developers users HTML, CSS and Javascript to write at least some of the app and those portions so written can be reused across devices. That promise of cross-platform reuse is one of the main appeal of HTML-based mobile apps, especially those using the still-emerging HTML5 standards.

Those standards, along with Cascading Style Sheets 3 (CSS 3), and third-party Javascript toolkits and frameworks like those from Sencha Touch, jQuery Mobile and djox.mobile, give developers the capabilities to make hybrid apps that behave a lot like native apps.

But not completely: Perry notes that direct access to device and OS features is limited, so apps that need special graphics or system-level features aren't good candidates. (Though app frameworks like the open source library from PhoneGap let Javascript access the on-device compass or take pictures, for example.)

But the "dark side" of hybrid and HTML5 apps is highlighted in a blogpost  by Steve Mansfield-Devine, who edits the "Network Security" and "Computer Fraud & Security" newsletters.

"HTML 5 isn't just a bunch of new tags," Mansfield-Devine writes. "It provides new mechanisms for exchanging and storing data, as well as presenting video, audio, animations, typefaces and complex layouts." HTML5 won't be fully backed until 2012 or later. "The worry, then, is that developers will rush to exploit these great new features without fully understanding, let alone addressing, the security implications."

He gives an overview, and a generally positive assessment of the new security features introduced in HTML5. "Many of these are geared to tackling the problems that arise when a web page includes elements from other sources," he writes. "A classic example, and one that has been exploited many times in the past, is the iframe. An iframe allows the embedding of content from a source different to that of the main page."

Advertising services use the iframe to serve content and attackers use it to inject malicious code. HTLM5 sandboxes the iframe, with the result that "it is more difficult for malicious sites to lure users to navigate to untrusted content."

The problem, Mansfield-Devine argues, is that developers will rush to make use of HTML5, but without fully understanding, or properly using, these security enhancements. Good security, to stay good, needs good programming.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT