HTML5-based mobile apps vulnerable to cross-site scripting attacks: Experts

By Indo Asian News Service | Updated: 10 April 2014 13:57 IST

As you are busy sending SMSs, reading emails or listening to music on your smart phone, do you realise that these simple things can get your smart phone infected with 'worms' that can not only steal personal information from your phone, but also infect your friends's phones?

Sound scary? You can blame a new technology that is behind the development of your favourite apps.

An emerging technology called HTML5-based app development has been rapidly gaining popularity in the mobile industry.

"When the adoption of this technology reaches certain threshold, worm attacks would become quite common unless we do something to stop it," a latest report from US-based IT research agency Gartner warned.

By 2016, 50 percent of the mobile apps will be using HTML5-based technologies.

"All major mobile systems would be affected, including Android, iOS, Blackberry, Windows Phone, etc., because they all support HTML5-based mobile apps," the report cautioned.

A notorious problem of the HTML5-based technology is that malicious code can be easily injected into the programme and get executed.

That is why the Cross-Site Scripting (XSS) attack is still one of the most common attacks in the Web.

"XSS attacks can only target at web applications through a single channel (Internet) but with the adoption of the same technology in mobile devices, we have found out that a similar type of attack can not only be launched against mobile apps," Gartner noted.

It can attack from Wi-Fi scanning, Bluetooth pairing, MP3 songs, MP4 videos, SMS messages, NFC tags and contact list.

"As long as an HTML5-based app displays information obtained from outside or from another app, it may be a potential victim," Gartned added.