Using HTML5 for mobile apps can save costs and provide users with a common experience. But HTML5 comes with its own set of security issues.
Several key facets of the HTML5 platform can increase the surface area for security compromises, which may affect the enterprise through apps developed either in-house or by third parties.
Local storage: Before HTML5, cookies were the only way websites could store local data on the client side. But cookies are limited in multiple ways, whereas HTML5 local storage offers a more robust client-side storage solution, including a relational database with SQL access. With client-side storage, HTML5 apps can be both more sophisticated and faster than their web-based predecessors. Users can access key data offline, and apps can manipulate data without network bottlenecks.
But the data stored on the client side will also be more vulnerable to compromise. Hackers who slip through the “same origin rule” that protects access to local storage could extract sensitive data and leak it to malicious servers. In the mobile realm, physical loss or theft of smartphones and tablets could put sensitive data directly into hackers' hands.
This means that using HTML5 local storage to store sensitive data must go hand in hand with security awareness. This might include siloing the most sensitive data to session-only storage (which is destroyed with app exit), or employing the same robust encryption techniques that would be used to store sensitive data on servers.
Cross-Origin Resource Sharing (CORS): A complex subject whose intricacies threaten to trip up developers, CORS is the rules mechanism that defines which data apps can interact with. Before HTML5, this security policy was known as the Same Origin Policy, and it required that web apps interact with code and content delivered from a common parent server to limit the opportunity for hackers to inject malicious data. CORS expands the limitations of the SOP and provides a more sophisticated syntax by which developers can define which origins are allowed to interact with which app behaviors.
The security risk here is not CORS itself but the opportunity for developers to misuse it, writing rules that are either too broad or too vulnerable to exploitation, giving hackers an in-road to cross-site scripting (XSS) attacks and other forms of data hijacking.
WebSockets: HTML5 WebSockets feature an asynchronous, full-duplex network connection directly between web client and server, enabling “push” communications originating from the server. This technology significantly reduces bandwidth for what would be polling-intensive apps, promising payoff in both reduced data usage and app performance. But WebSockets are, at least currently, opaque to many network security tools, which may rely on packet inspection to qualify traffic. In short, use of WebSockets may dilute the effectiveness of present-day network security defenses like web application firewalls.
HTML5 is not inherently insecure, but enterprises that use it need to look at it like using a Swiss Army Knife -- the new features promise great utility, but also more ways to cut yourself.