Security testing process for React Native applications
Juhola, Jali (2022)
Juhola, Jali
2022
Tietojenkäsittelyopin maisteriohjelma - Master's Programme in Computer Science
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2022-05-23
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202204233456
https://urn.fi/URN:NBN:fi:tuni-202204233456
Tiivistelmä
Nowadays many security-sensitive mobile applications do not create separate applications for every targeted native environment but will use a hybrid mobile framework like React Native as an alternative. These frameworks are nowadays used as alternatives for pure native applications, created separately for every native environment. The problem with these hybrid frameworks is that they create different unique environments, which will make new unique challenges for security validating and testing applications built with hybrid frameworks.
This thesis is limited to only one hybrid framework, React Native, and during the study, a security testing model is created for React Natives security testing purposes. Similar studies have not been previously conducted by using React Native or any other hybrid frameworks using platform-specific native components similarly as React Native uses. Therefore, research was started by defining parts that React Native applications are built with. Relevant parts of React Native for security testing purposes are its three environments. These environments are platform-specific Android and iOS environments, platform-agnostic JavaScript environment and the bridge used to communicate between native and platform-agnostic environments. The model created during the study has the goal of finding vulnerabilities from all of these three environments. This created model improves the current stage of testing React Native applications as the current model commonly used with React Native applications is created for testing only native environments of React Native applications.
At the end, this model is verified during the case study section by conducting the security testing process to a mobile application built by using React Native and by using the created model. Security testing was conducted by using two different groups of tools and methods. These groups of tools and methods are used either with pure native or JavaScript applications.
As a result of the study, it was found that, React Native ecosystem has platform specifics inside its platform-agnostic JavaScript parts. These specifics should be taken into consideration during the security testing process. This also applies to other native component-based hybrid frameworks, where also to gain sufficient security testing coverage, their respective platform specifics should be taken into consideration.
This thesis is limited to only one hybrid framework, React Native, and during the study, a security testing model is created for React Natives security testing purposes. Similar studies have not been previously conducted by using React Native or any other hybrid frameworks using platform-specific native components similarly as React Native uses. Therefore, research was started by defining parts that React Native applications are built with. Relevant parts of React Native for security testing purposes are its three environments. These environments are platform-specific Android and iOS environments, platform-agnostic JavaScript environment and the bridge used to communicate between native and platform-agnostic environments. The model created during the study has the goal of finding vulnerabilities from all of these three environments. This created model improves the current stage of testing React Native applications as the current model commonly used with React Native applications is created for testing only native environments of React Native applications.
At the end, this model is verified during the case study section by conducting the security testing process to a mobile application built by using React Native and by using the created model. Security testing was conducted by using two different groups of tools and methods. These groups of tools and methods are used either with pure native or JavaScript applications.
As a result of the study, it was found that, React Native ecosystem has platform specifics inside its platform-agnostic JavaScript parts. These specifics should be taken into consideration during the security testing process. This also applies to other native component-based hybrid frameworks, where also to gain sufficient security testing coverage, their respective platform specifics should be taken into consideration.