Vineeta Sangaraju, Senior Research Engineer, Synopsys Software Integrity Group

The hybrid development risk profile

Remember that the bridge is an extra layer of code. Going by the “keep it simple” principle, it is more likely to introduce vulnerabilities. Also:

    • Any plugin marketed toward a set of platforms introduces security gaps if not thoroughly tested against the latest platform’s updates
    • While plugins provide access to native features, the level of control may be limited. This can impact the final application’s ability to implement certain security measures effectively, making bypasses easy
    • Updates in the native world are more frequent, so keeping a hybrid application heavily reliant on third-party plugins is challenging
    • Hybrid applications often rely on communal knowledge, that is, third-party plugins that help access native features. These plugins may harbor vulnerabilities, security flaws, or outdated dependencies
    • Most hybrid apps are likely created through conversion — leaving room for incomplete or insecure use of framework APIs

Keeping hybrid development secure

Without a doubt hybrid development offers compelling advantages due to the ease and speed it offers. But can you also have native-level security? By incorporating additional or alternate measures, a trade-off between ease and security can be achieved.

  • Pick every plugin wisely. Does it follow basic application security principles? Review the platform-specific APIs corresponding to the chosen plugin.
    • ☑ Is the native API deprecated? Has the library taken this into consideration?

      ☑ Does the library expose all the native options, especially the ones related to security?

      ☑ Does the library API work as intended on all platforms?

      ☑ Does the library assign an insecure default when the native platform does not?

  • Build your own plugin securely
  • Fork a plugin and support all native features by referring to the platform documents
  • Periodically review the dependencies and libraries via static code analysis and dependency analysis.

      ☑ Run tools that identify insecure implementations

      ☑Review dependencies and update as necessary