Security Beyond Browsers: Why CORS Doesn’t Apply to Mobile Applications

Saurabh Jain

By Saurabh Jain

We have been using Mobile Applications and Web Browsers for more than two decades now and many times heard about the vulnerabilities in Mobile Applications and Web Browsers. Many vulnerabilities are common but many are not. There are a series of vulnerabilities which are not common; the majority of them are from Cross-Origin Concerns.

 

mobile security

In a number of interviews, I was being questioned regarding CORS in Mobile Applications.
● Why do Mobile Applications not have a CORS vulnerability ?
● Can we exploit CORS in Mobile Applications ?
● Mobile Applications have WebViews which are similar to browsers. Do we have browser based vulnerabilities in mobile applications such as CORS ?

Let’s Define CORS and its implementation for a better understanding. We will try to understand the Mobile environment and get into CORS in Mobile and its applicability.

CORS (Cross-Origin Resource Sharing) is a security feature implemented by web browsers to control how web pages from one domain can request,interact and access with resources from a different domain.

CORS is implemented through a combination of server-side configurations and HTTP headers

● Specify the domains(origins) in the web server or application backend that are allowed to access the resources.
● HTTP Request and Response Headers:
○ Origin
○ Access-Control-Request-Method
○ Access-Control-Request-Headers
○ Access-Control-Allow-Origin
○ Access-Control-Allow-Credentials
○ Access-Control-Expose-Headers
○ Access-Control-Max-Age
○ Access-Control-Allow-Methods
○ Access-Control-Allow-Headers

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to prevent web pages from making requests to a different domain than the one that served the web page. This security measure is in place to mitigate the risk of Cross Origin Concerns and related security vulnerabilities.

Noted : Noted : In the context of mobile apps, CORS is not applicable even though mobile applications have Web Views.

Here’s why…

1. Native Code Execution:
Mobile apps are majoritively developed using Native Programming languages (e.g. Java/Kotlin for Android, Swift/Objective-C for iOS). They do not rely on browser-based security features like CORS. Instead, they can make HTTP requests directly through native code, which gives the developers more control over network interactions.

2. No SOP (Same Origin Policy): The Same-Origin Policy (SOP) that enforces CORS restrictions is a browser security feature. Mobile apps are not executed within a browser and SOP is not applicable to them. Therefore, they can freely make network requests to any domain without CORS restrictions.

3. Controlled Environment: Mobile apps are distributed through App stores (Google Play Store and Apple’s App Store) and are subject to review and approval processes, you can read Android and iOS application reviewal process from Android here and iOS here. This helps ensure that malicious apps, which might attempt to exploit cross-origin vulnerabilities, are not readily available to users.

Conclusions
1. Mobile Apps are not subject to CORS restrictions.
2. Mobile Applications use native code for Network connections and interactions
3. SOP is not applicable to Mobile Applications
4. WebViews does not provide cross platform compatibility as Browsers
5. Other Protection Mechanisms like Data Encryption, Input Validation, Server Side Authentication and Authorization etc. must be there in every Mobile Application.

You May Also Like

More From Author

+ There are no comments

Add yours