The Nightmare Behind the Cross-Platform Apps Dream
Recently at Black Hat Asia 2015 in Singapore, NowSecure mobile researchers Marco Grassi and Sebastián Guerrero Selma gave a well-received presentation about cross platform frameworks and the unique security vulnerabilities they present. Due to the proliferation of mobile platforms in recent years, apps are increasingly created on cross-platform frameworks including PhoneGap, Unity3D, Adobe Air, Appcelerator and others. These frameworks can greatly simplify the mobile app development process by allowing developers to code once and then run on every mobile platform instead of having to write individualized, platform-specific code for Android, iOS, Blackberry and others. But this convenience often comes at the price of security. Code reuse creates a uniform attack surface. Vulnerabilities are shared between different apps, which means an attack that works on one app has a high probability of working on other apps that utilize the same cross-platform framework. You can learn more about the troubling security implications cross-platform frameworks present by checking out Marco and Sebastián’s presentation deck below.
Marco Grassi joined NowSecure in 2012 as a member of the R&D Team, where he researches and develops solutions for mobile security products and performs reverse engineering, pentesting and vulnerability research in mobile OS applications and devices. When he’s not poking around mobile devices, he enjoys developing embedded systems and electronic systems. He has spoken at several international security conferences such as ZeroNights, Black Hat and Codegate. You can find him on Twitter at @marcograss.
Sebastián Guerrero Selma’s work includes research in mobile security and web security, developing tools and techniques for vulnerability assessment and post-exploitation of mobile devices and applications, and reverse engineering embedded platforms and mobile platforms. In the last few years, he has spoken at several security conferences such as RootedCON, NoConName, and RSA. You can find him on Twitter at @0xroot.