Basic Guidelines for Hybrid Apps

[cpholguera]

Thanks @julepka for reopening this discussion:

Original message:

julep Jun 24th at 4:20 PM
Is there any chance we can make a separate section in MSTG for Hybrid apps? I mean one page, not the whole new MSTG chapter. Right now there is just a single paragraph and no possibility to add useful links that may help with security reviews of Hybrid apps.
I can write down some general principles of how to use MASVS and MSTG for Hybrid apps. For example:

• do not trust 3rd party libraries - check the native logic under the hood.
• explore language-specific attacks. For example, for RN it is JavaScript, TypeScript, so XSS is possible.
• links to Flutter, React Native, Xamarin official security docs if any. links to some useful articles, etc.

[cpholguera]

Original discussion from Slack:

Elie Saad 2 months ago
In WSTG we are creating appendices for specific implementations which are part of the document, and can be referenced internally throughout, if this helps as an idea 🙂 (edited)

Sven 2 months ago
Hi @julep. Good question! So this was also a topic a while back and we decided to park everything that is non-native apps into the following excel sheets https://github.com/OWASP/owasp-mstg/#about-hybrid-apps. There is a column in the security requirements tab, where we can put in URLs, references or comments if this test case can be covered in React Native for example. (edited)

Sven 2 months ago
The challenge for us is that it’s already overwhelming with all the changes that are happening for native apps on iOS and Android and to keep track in the MSTG and we decided to not cover also Hybrid Apps as this becomes otherwise endless

Sven 2 months ago
I know the excel sheets are not ideal, but a good way of parking the content for now and make it accessible.

julep 2 months ago
Yeah. I’ve seen those excel sheets... I don’t think I can add anything to it. As I’ve mentioned, MASVS for Hybryd apps is the same. There are core ideas how to use it for hybrid apps. And there is not place right now to write up such ideas.

Carlos 1 month ago
Hi @julep we'll be discussing this in the next weeks. We like the idea of having some fundamental guidelines, generic information and tips serving at least as an entry point and pointing to official sources whenever possible (to avoid maintenance. As Sven said, this would be very hard for us). We'll keep you informed. Meanwhile if you have some draft with ideas please send it to us and we'll take a look.

julep 1 month ago
@carlos glad to hear that 🙂 I don't have a draft right now, but I've written an article about React Native Security (general perspective, no deep technical details): https://www.cossacklabs.com/blog/react-native-app-security.html
Some of the ideas are similar for all Hybrid platforms:

• OWASP Mobile Top-10 shows "Improper Platform usage" as a number one. If native devs are making platform specific mistakes, then devs covering multiple platform are even more likely to make similar mistakes. The notion of Leaky Abstraction fits here perfectly.
• Making Hybrid app means that we need to deal with iOS, Android AND additional platform security. As a result, more types of vulnerabilities are possible.
• Creating Hybrid add means that we heavily rely on a 3rd party framework. It means that if Apple/Google release some changes (fix vulnerability) there is a delay before we are able to update our code because we need to wait for the framework to be updated.
  And then it would be nice to go to some high-level description of each platform. For example, React Native uses JavaScript. It means that some XSS attacks may be possible. Cordova heavily relies on a WebView, so we can commend to pay attention to a WebView section of MASVS/MSTG or something like that.

[cpholguera]

From a previous discussion, also from Slack:

dineshdinz Jun 14th at 1:09 PM
Hi Guys,
Trying to find specific test cases for react native apps, any checklist/info is available ?

12 replies

Dauntless (Jeroen) 2 months ago
The guide itself is intentionally not supporting third-party app frameworks since that would require a tremendous amount of work.

Dauntless (Jeroen) 2 months ago
But RN apps, devs will typically use third party libraries to do all the interesting stuff. So I usually figure out which dependencies they're using (don't forget an nmp audit run) and then look up their source + documentation to figure out how they work

Dauntless (Jeroen) 2 months ago
For example, many biometric auth libraries are just inherently insecure: https://blog.nviso.eu/2021/04/06/a-closer-look-at-the-security-of-react-native-biometric-libraries/

Dauntless (Jeroen) 2 months ago
The same is true for 'secure storage' libraries

dineshdinz 2 months ago
Thanks Jeroen for the detailed suggestions 👍
I will check out those thing.

Carlos 2 months ago
As @Dauntless (Jeroen) said we don't target them but some contributors started some initiatives. Please take a look at the MSTG README.
https://github.com/OWASP/owasp-mstg#about-hybrid-apps

dineshdinz 2 months ago
Thanks @carlos, those sheets helped a lot

Carlos 2 months ago
you're very welcome!

julep 2 months ago
@dineshdinz I actually do security audit of React Native apps based on MASVS. Each requirement is applicable, and it is what I like a lot about MASVS. The only thing you need to do is to dig deeper to understand the internals of the third-party libraries. The additional part is checking for JS-type vulnerabilities. For example, XSS may be possible if you do not sanitize input of the eval() function. As for me, React Native security testing is something like Mobile + JS testing.

[cpholguera]

Some (maybe) useful links:

https://blog.jscrambler.com/securing-ionic-4-cordova-apps/

https://blog.jscrambler.com/securing-react-native-applications/