What the transition to hybrid apps means for security

People often put privacy concerns to the back of their mind if the perceived benefits are compelling enough.

Think about a time when you’ve wanted to download a specific app. When you’ve spent time imagining how its personalised content is going to improve your life.

How much attention have you really paid to the small print about the permissions you’d have to give to the company that created it?

This reality is especially true of younger app users. Gen Z customers have grown up with the smartphone. Personalized ads based on location and likes might seem a little creepy to some of us. But not to the consumers of the future.

Brands know this, too. They know that the smartphone is essentially a way of reaching their customers and prospects at any time - and wherever they are.

The thing is, developing an app can take a lot of time. Particularly when you consider it would have to be compatible with both iOS and Android devices. Not to mention a whole host of other, non-mobile versions for devices such as the smart watch.

This is where hybrid apps come in.

A hybrid app can be designed and developed in a fraction of the time it takes for a standard native app to be ready. And for that reason, some analysts now see hybrid apps as the future of app development.

But it’s important to recognize that the many differences between native apps and hybrid apps also extend to security. As hybrid apps are still somewhat of a novelty, bad actors have targeted them for attacks.

So, if you’re in a position where you’re considering taking the hybrid app route, it’s crucial you understand the risks and how to prevent them. It's important to consider hybrid app security.

It’s interesting to look back on a film from 15 or 20 years ago that was set in the future to see what they got right and what they got wrong.

There’s one particular scene in the film Minority Report that got us talking here at the Licel office recently. Tom Cruise walks into a Gap store and is greeted with a personalized message from an avatar asking him how a recent purchase worked out for him.

In the film, it’s an individual’s eyes that are scanned before personalized ads are played to them. We might not be quite there yet with the eye scanning technology, but generally speaking companies can do exactly the same thing today.

If a retail company has an app, then they can place beacons around the store that lock onto the bluetooth LE on your phone. After all, the app has already collected the MAC address of your bluetooth module and sent it to a server. Then, once you’re in the store, the company can use your location, likes, and past purchase history to send you targeted ads.

Imagine there’s a shirt you really like the look of, but you think it’s too expensive and you can’t justify paying for it. A little disappointed, you walk toward the exit. But then, just as you’re about to leave the store, your phone vibrates in your hand. It’s a personalized ad with an offer for 25% off the original price of the shirt.

For a millisecond, you might be slightly perturbed at the realization that the brand knows more about you than you know yourself. But then you’d probably think about the cold facts of taking the shirt home today.

Developing a hybrid app means getting in your customer’s pocket a lot more quickly.

Last year, Gartner released a press release in which they predicted that mobile apps would have the biggest impact on business success in 2020.

They suggested the future of app development would be multi experience. In other words, apps would have to fit the changing shape of marketing. In a world of wearables and augmented reality, apps would have to adapt. Gartner also recognized the need for more conversational apps in a marketing landscape set to be transformed by virtual assistants.

It’s a message that has been repeated by lots of other commentators in recent years.

In a Drum interview with Ian James of Verve Mobile, he suggested that the future of apps lies in three core areas. The first is speed - ensuring that users can access content quickly. The second is precision, specifically in terms of accuracy of location and voice search. And the third is trusted access. In other words, the idea that consumers will happily share their data if it means receiving a personalized experience.

Some of these insights help to explain why hybrid apps have been on the rise in recent years.

Developing a hybrid app means getting it to your customers fast. Sometimes people forget just how long it can take to create a quality native app for both iOS and Android. It took Instagram around two years to release their Android version after first launching on iOS.

But would the modern user wait as patiently as they did almost a decade ago?

Hybrid apps also allow you to modify quickly. Not only is there a single code base across platforms, but you also don’t have to update different versions in the app store and wait for approval.

As hybrid apps are web based, it’s generally a much easier process to change content to fit your customer’s evolving needs. And cheaper origination helps to keep costs down.

All of these factors help to explain why hybrid app frameworks such as Ionic, Xamarin, and NativeScript are doing so well at the moment. But there are reasons why there’s still a healthy debate about whether native or hybrid apps are a better bet. And a lot of this debate centers around security.

Firstly, it should be said that there are strong arguments in favor of native apps even without taking security into consideration. There are plenty who would argue that if you truly want to offer your customers a great user experience, then native is the only way to go.

But it’s also true that protecting native apps is a little more straightforward.

Java script-based apps are just set up differently. And that impacts how they can be protected from hackers. They still carry sensitive functions, and store sensitive data just like native apps, but the protection techniques that exist for them aren’t quite as robust.

There’s a virtual machine that executes Java script code, and so there’s more limitation in terms of securing that code. What’s more, environment checks can sometimes be difficult depending on the framework in use.

One specific risk area for hybrid apps is man-in-the-middle attacks.

Why? Well, it’s a lot harder to protect web browsers from man-in-the-middle attacks. A browser is a big, complex thing. And that means that it’s very difficult to hook at the system level.

Because of this, we’ve seen examples of bad actors exploiting weak server authentication to hijack the communication channel between hybrid apps and the server. That has enabled them to glean valuable information.

Hybrid apps are also at risk from sensitive data exfiltration. Hackers can squeeze through gaps in the app’s defences to steal personal user data as well as important cryptographic information. And they are exposed to tampering and reverse engineering attempts more than native apps. That’s because bad actors don’t require any special tools like a decompiler.

Despite all of these risks, it is possible to develop a hybrid app safely.

Environment checks before the app starts can help to detect tampering. Deep communication hardening can stop hackers from carrying out man-in-the-middle attacks. And you can also employ code and content protection designed specifically for hybrid apps. This shields valuable Html, JavaScript, Json, Xml, and media files.

We’ve spoken at length on this site about the need to find the right balance between speed and security. Hybrid apps are the perfect example of this. They’re attractive to companies because they enable them to get their app to market quickly. But trust is going to be just as valuable in the next decade as speed and convenience.

An app that’s liable to be attacked is never going to win you the trust of your customers. That's why taking some time to plan a security strategy for your hybrid app will be worth it in the long run.