Lost in Translation: Exploring the Risks of Web-to-Cross-platform Application Migration
Authors: Claudio Paloscia (University of Illinois Chicago), Kostas Solomos (University of Illinois Chicago), Mir Masood Ali (University of Illinois Chicago), Jason Polakis (University of Illinois Chicago)
Volume: 2025
Issue: 4
Pages: 24–39
DOI: https://doi.org/10.56553/popets-2025-0117
Abstract: The cross-platform application-development paradigm alleviates a major challenge of native application development, namely the need to re-implement the codebase for each target platform, and streamlines the deployment of applications to different platforms. Essentially, cross-platform application development relies on migrating web application code and repackaging it as a native application. In other words, code that was designed and developed to execute within the confines of a browser, with all the security checks and safeguards that that entails, is now deployed within a completely different execution environment. In this paper, we explore the inherent security and privacy risks that arise from this migration, due to the fundamental differences between these two execution environments, which we refer to as security lacunae. To that end, we establish a differential analysis workflow and develop a set of customized tests designed to uncover divergent behaviors of web code executed within a browser and as an Electron cross-platform application. Guided by the findings from our empirical exploration, we retrofit part of the Web Platform Tests (WPTs) testing suite so as to apply to the Electron framework, and systematically assess mechanisms that relate to isolation and access control, and critical security policies and headers. Our research uncovers semantic gaps that exist between the two execution environments, which affect the enforcement of critical security mechanisms, thus exposing users to severe risks. This can lead to privacy issues such as the exposure of sensitive data over unencrypted connections or unregulated third-party access to the local filesystem, and security issues such as the incorrect enforcement of CSP script execution directives. We demonstrate that directly migrating web application code to a cross-platform application, without refactoring the code and implementing additional safeguards to address the conceptual and behavioral mismatches between the two execution environments, can significantly affect the application's security and privacy posture.
Keywords: web apps, cross-platform apps, electron, security lacunae, differential analysis, web platform tests, security policies, security headers
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
