Question

How protect mobile website against encapsulating into rogue native mobile app?

We are developping a mobile application (m.website.com).

Is there a way to prevent a rogue developper to build an IOS / Android native app that simply encapsulate our website into the app using Webkit to perform UI Redress attacks or clickjacking?

(We know that the HTTP header ‘X-Frame-Options: Sameorigin’ is effective in the scenario of a malicious website that encapsulate (frame) another website, but how to prevent encapsulation by a native mobile app?)

Answer

A user cannot trust a web page that is inside an app that they don’t trust.

Therefore, if there was a UI redress attack against your website when using a particular app, then this would be the user’s fault for trusting the application.

Furthermore, if an application developer wanted users to click something on your site using the phone, then they would simply code this into their application. They would not need the user to do it. Browsers within applications use a different set of cookies than the phone browser, so this would not affect any of the user’s existing sessions. They would have had to log onto your site in the application’s browser window, and at that point a rogue application could simply have harvested the credentials anyway.

Leave a Reply

Your email address will not be published. Required fields are marked *