Cross-platform development tools such as Flutter and React Native are increasingly being used to develop mobile apps. The financial and organizational advantages of using such frameworks are becoming clearer and any perceived shortcomings are being addressed. But what about security? This blog dives into cross-platform tools and argues that security should be cross-platform too.
Companies are facing the challenge of needing to build mobile apps for multiple platforms: for both Android and iOS of course, but increasingly also for HarmonyOS. And there are newer platforms emerging all the time, for example Eclipse Oniro OS targeting IoT.
The need to run apps on multiple platforms is why cross-platform mobile development solutions have emerged as one of the most popular software development trends.
As we will see, Flutter and React Native are the most popular frameworks in use today but there are many other options.
Before discussing security let's look briefly at what's driving this trend and the types of tools available.
Expect Serious Cost Savings and Other Benefits When You Use Cross-Platform Tools
There is quite a lot of data about cost savings of using cross-platform development rather than native development.
There is a general consensus that cross-platform development can be about 30% cheaper than building separate native iOS and Android apps.
Other analysis indicates that if you use a cross-platform framework for the first platform, each additional platform you add costs around 70% less than if you use native tools.
Of course, the savings you actually achieve will be different based on your own environment and processes but you will certainly see the following advantages:
- Code Reusability: Having one codebase for multiple platforms reduces development time and costs compared to building separate native apps.
- Unified Development Team: Cross-platform development requires only one development team skilled in the chosen framework, rather than separate teams for each platform.
- Maintenance Cost Reduction: Cross-platform development lowers maintenance costs as developers will only need to update the codebase once for all platforms.
- Faster time-to-market: The reduced development time allows companies to launch new features faster, potentially leading to better competitiveness and earlier revenue generation
There may be some additional costs to consider. Cross-platform development frameworks vary in cost. Some, like Flutter and React Native, are open-source and free. However some specialized plugins might need extra investment. Some testing may still need to be carried out for each platform. Finally, improving performance might need extra work, which can affect time and costs.
Cross-Platform Tool Adoption
Interest in and adoption of cross-platform development platforms is certainly growing. Google search trend charts show that search for cross-platform development in general and searches for specific app development tools has also been steadily increasing as awareness grows.
The market for cross-platform solutions is expected to grow faster than the overall mobile application market (which of course is projected to continue to grow rapidly). Projections indicate a strong upward trend in the adoption and market share of cross-platform mobile app development tools over the next several years. One example forecast sees the cross-platform app development framework market growing at a CAGR of 16.8% to 2033 to reach $546.7 billion.
In terms of which tools are the most popular, two stand out, Flutter and React Native. These compete to take the top position. Behind these two is a cluster of tools: Xamarin, Ionic, Unity, Kotlin, NativeScript and Cordova. The adoption numbers may differ in different reports and surveys, but the general picture with two clear leaders, is consistent across different analyses. After the runners up, there is a “long tail” of many other frameworks and tools.
Choosing the Right Tool - What are the Choices?
Choice of which tool to use will depend very much on your specific use case and development team. There are plenty of reviews and comparisons of different tools available.
You should however consider the following:
- Adoption: If a solution is widely used it will generally have more responsive support and faster feature velocity. A robust community and ecosystem from a widely adopted tool can greatly facilitate development. React Native benefits from a large, active community and extensive third-party libraries, while Flutter's ecosystem, though younger, is rapidly growing. Some examples of familiar apps built using these tools: Instagram, Facebook and Uber Eats all use React Native and Google Ads uses Flutter. Xamarin is used by UPS and Alaska Airlines and Pokemon Go is built with Unity.
- Performance: Performance is crucial, as it directly impacts user experience. Tools like Flutter and React Native can offer near-native performance, while Flutter's compiled code is cited as providing a slight edge in speed and smoothness.
- Learning Curve for Developers: The ease of adoption is important, especially for teams transitioning to cross-platform development. For example, Flutter uses Dart, which may require some learning for developers unfamiliar with it, while React Native leverages JavaScript, which is widely known. Frameworks that allow for rapid development are important too. React Native's hot reloading feature, for instance, enables developers to see changes in real-time, significantly speeding up the development process.
- UI Consistency: The ability to create a consistent look and feel across platforms is one of the key requirements. Flutter excels in this area with its customizable widget system, allowing for UI designs to be consistently applied across iOS and Android.
- Use-case or Industry Specific: Unity is designed for 2D and 3D game development, and has a strong community and documentation. There are other platforms specially designed for games. For other industries and use-cases the approach is generally to use a standard framework with special add ons, libraries or APIs. React Native is popular in finance apps development.
The Elephant in the Room - Support of HarmonyOS
HarmonyOS is an operating system launched in 2019 by Huawei in response to US restrictions. The new version of HarmonyOS, HarmonyOS NEXT, only supports native apps via Ark Compiler and native APIs. It will not be able to run Android apk apps natively.
If you are thinking ahead and have plans for Mainland China and other international markets then HarmonyOS may be in your future so it would be good to use a platform which supports it. As of now, however, no major cross-platform development tools have officially announced plans to support HarmonyOS. There is an open issue on the Flutter GitHub repository discussing HarmonyOS support, but no official plans have been announced. Similarly React Native is currently focussed on IOS and Android.
Huawei has launched DevEco Studio which is intended to allow developers to develop and migrate across multiple devices. There are other new initiatives worth keeping an eye on too, for example the Linux Foundation Open Mobile Hub which is intended to support iOS, Android and HarmonyOS.
So this is a case of “watch this space”.
Any Issues with Cross-Platform vs Native?
Cross-platform applications were initially considered a compromise in performance for mobile applications, but that compromise seems to be disappearing. Cross-platform frameworks are placing a strong emphasis on improving performance to deliver more native-like experiences.
While cross-platform tools are gaining traction, native development does remain strong, especially for apps requiring high performance or deep platform integration. The choice often depends on project-specific factors and team expertise.
It is also possible to deploy hybrid applications, using a cross-platform framework but embedding native code to carry out specific functions such as accessing the platform's OS or platform specific UI functionality. There are some notable hybrid apps: Instagram. Uber Eats, Pinterest and Walmart all use React Native but incorporate some native code for specific UI features.
So What About Security in Cross-Platform Tools?
Security should be a serious consideration as you adopt a cross-platform development approach. Potential issues can be mitigated by applying a Zero Trust approach at run-time.
There are a few potential security threats to be concerned about:
- Code Visibility and Encryption: Some cross-platform frameworks use languages like JavaScript that are more easily readable and reverse engineered compared to compiled native code, potentially exposing app logic. In general, implementing strong encryption across platforms can be more challenging, potentially leading to weaker or inconsistent data protection.
- Third Party Code: Cross-platform apps often rely heavily on third-party plugins, which may introduce their own security flaws if not properly vetted. This can be mitigated by using tools to scan for vulnerabilities in third-party libraries and dependencies.
- Channel Protection: Features like certificate pinning to prevent Man-in-the-Middle attacks can be more complex to implement consistently across platforms. React Native does support SSL pinning. Channel protection can be implemented by using a security solution that implements cross-platform dynamic certificate pinning.
- Access to Platform Security Features: Cross-platform apps often rely on additional abstraction layers and frameworks, which can introduce new vulnerabilities and expand the potential attack surface compared to native apps. Cross-platform apps also may have reduced access to platform-specific security features and APIs compared to native apps, for example platform-specific secure storage options, or managing granular app permissions.
- Limited Run Time Protection: Cross-platform solutions do not offer runtime RASP or app or device attestation solutions but provide the ability to integrate with cross-platform RASP solutions and native attestation solutions such as iOS App Attest and Android SafetyNet Attestation API.
In general cross-platform frameworks do not focus on security but instead make it easy to integrate other security solutions.
Implementing robust runtime security often requires a combination of framework capabilities, platform-specific features, and third-party solutions. The level of security implementation can vary based on the specific requirements of the app and the sensitivity of the data being handled. Responsibility ultimately lies with the developers to implement and maintain secure coding practices throughout the application's lifecycle.
How to Gain the Advantages of Cross-Platform Development AND Enhanced Security
Even if most cross-platform tools support hybrid models, the development streamlining and cost-saving advantages of cross-platform tools will be seriously reduced if you depend on platform-specific security approaches. The development team will have to juggle different approaches which add complexity and slow down deployment. This complexity of course also potentially opens up the possibility of opening up new attack surfaces.
Much more importantly, third party security offerings are much better than proprietary attestation solutions from Apple, Google and Huawei. We have covered this extensively in previous blogs such as “The Apple, Google and Huawei Approach to Mobile App Security is Not Improving”. Proprietary platform-based solutions provide limited security in very restrictive use-cases and better ways can be found for developers and security teams seeking to deploy robust but cost effective security for mobile apps and APIs.
So we recommend that you follow a path that applies zero trust guidelines with “best-in-class” cross-platform security solutions, rather than security solutions that lock developers into an expensive ecosystem.
Fortunately, there are good third-party security solutions which can reduce dependencies on native security tools and approaches. Such tools can be integrated into cross-platform frameworks in order to provide advanced security across platforms in a consistent and unified way. So you can get the benefits of cross-platform and improve your security at the same time. It’s a “win-win” situation!
How Approov Works with Cross-Platform Frameworks
Approov offers mobile app attestation and API protection across platforms.
With Approov, every time there's a request to the backend APIs, the Approov SDK collects information on the app and scans the runtime environment for hooking tools and dozens of other potential threats in the device environment. This information is sent to the Approov cloud service which then decides whether everything is OK and passes a token back to the Approov SDK which integrates that into the request to the back end.
Because of the unique way Approov can get attestation information about the device and the application, API keys can be delivered just in time to the application but only when the device and app are verified as genuine and unmodified. In this way, secrets are always secure and never appear in your code. This can be done in an automated way, independent of the app code.
All you need to do is integrate the lightweight platform-specific Approov SDK with your app. The Approov service of course has deep knowledge of specific platforms in order to evaluate threats, including iOS, Android and HarmonyOS. However, the operation of Approov is the same and the back-end checks can be the same for all platforms. Approov always works consistently and is easy to manage.
Integrating Approov into mobile applications is straightforward, and quickstart guides are provided for all the popular platforms including React Native, Flutter, Cordova, Ionic, Unity, NativeScript and many others. There are also quickstarts for native iOS and Android apps. See the full list of supported quickstarts here. If your platform of choice is not listed, a generic integration approach is also straightforward.
Conclusion
If you use Approov with your choice of a cross-platform development tool you will be on a path to major cost savings as well as consistent and better security for your apps and APIs.
Approov are experts on mobile app security. We would be happy to discuss your specific use-case.