WWW and Mobile Security¶

WWW and mobile applications are for many people the primary way to use the internet or other systems, meaning their impact on security is significant — especially as client‑side features and functions have evolved rapidly. This module focuses on application protection mechanisms and vulnerabilities. Transformation of services and functions into mobile or web applications (appification) acts as a driving force in WWW and mobile ecosystems. Client applications communicate with servers using web technologies through application programming interfaces (webification), which affect both WWW and mobile ecosystems alike.

Back in the 1990s, WWW and mobile security focused heavily on server‑side and infrastructure security. Browsers were used mainly to display static websites. Web content became more dynamic in the 2000s, and server‑side security needed to consider, for example, injection attacks. Early mobile devices were limited and used mostly for making phone calls or sending text messages. Mobile security then focused on access control, call security, and SMS security.

The development of modern platforms brought major changes. Web application code is no longer executed on the server but runs in the browser. Browsers use Java, Adobe Flash, JavaScript, and browser extensions, which drastically changed the attack surface of the web. New attack types such as Cross‑Site Scripting appeared, and browser extensions proved vulnerable. In response to these threats, browser vendors and website developers took action. For example, Google Chrome disabled the Adobe Flash extension — which had become a tempting attack target — by default in 2019. Today it is fully removed from browsers, as its developer discontinued support.

Mobile devices also became more versatile. Smartphones and tablets are equipped with motion sensors, GPS, and cameras. They have substantial processing power and storage capacity and are constantly connected to the internet. Mobile operating systems have evolved, and their application frameworks have become increasingly rich and complex. Mobile applications can request access to all device resources and to sensors that use permission‑based access control. Applications also process extremely sensitive user data. Because mobile devices are powerful, versatile, and internet‑connected, they are promising and attractive targets for attackers.

The motto “There’s an app for everything” captures much of recent technological and security development. The app trend led to millions of applications, ranging from flashlights to social media and from online banking to mobile games. In addition, technologies and protection mechanisms used in WWW and mobile applications converged. Both ecosystems are typically client‑server oriented. Browsers and mobile apps communicate with backend services using web technologies. Communication is largely based on the HTTP protocol and its secure HTTPS extension. Browsers and mobile applications exchange, for example, HTML, JSON, and XML documents, and both extensively use JavaScript on both server and client sides. The massive rise of modern web and mobile applications also influenced software distribution models, which shifted from downloading via websites to centralized application stores. In application stores, developers can publish, advertise, and distribute their software, and users can download new applications and updates. Centralized software distribution has a positive effect on update frequency and speed both on the web and on mobile devices.