While the current number of mobile apps based on HTML5 is not that big yet, that trend is set to change in the next few years. Many industry analysts believe that by 2016, almost half of all mobile apps will be developed using the technology. Both Android and iOS users can benefit greatly from the plugin-free, rich-media delivery of mobile apps built using the promising architecture of HTML5. For instance, the mobile app versions of Google Voice, Meebo, and YouTube you’ve been enjoying are all built on HTML5’s ultra-nifty programming language.
The problem is that HTML5 is inherently readable–meaning, anyone can readily reuse and copy it, as well as insert malware into it. This poses new dangers to your mobile device and can compromise your sensitive personal data.
Cross-Device Scripting Attack
Syracuse University researchers uncovered that mobile devices running applications that are based on HTML5 are vulnerable to injection of malicious code, which can be introduced by attackers through Bluetooth pairing, SMS text messaging, 2D barcode scanning, and Wi-Fi scanning. In some cases, playing MP3s and MP4s through HTML5-based apps can pass on the malicious code.
This cross-device scripting attack can propagate the malware via SMS text messaging. The infection can still spread even if the messaged contact is using a smartphone that is different from the mobile device carrying the malware. Because HTML5 is readable on both iOS and Android devices, the malware can cross and spread between these two mobile platforms.
JScrambler works by obfuscation, wherein the original programming code is automatically scrambled in such a way that its functionality is retained. The software developer sends the code to JScrambler. The web-security firm then processes the original code, as well as introduces logic to detect tampering and to make the application break down by design in order to mitigate the effects of a successful attack.