I'm a beginner in creating mobile apps with phonegap. I have some doubts on security aspects, when creating a mobile app with phonegap.
I want to create an app that accesses a Web service, e.g. a REST service created using Jersey. Now, am I correct in thinking that a hacker can easily see the security keys/authentication mechanism used, to authenticate the client (on a mobile app) with the server (where REST API is to be used)?
In general, can a hacker easily access all data being sent by the mobile app (which was created using phonegap)?
Can a hacker disassemble a phonegap app to obtain original code? Wont he get the native code (e.g. Objective C in case of ios)? Or can he decompile even that into original phonegap code (ie html+js)? How do I prevent my code from being decompiled? Is this scenario the same as for most other languages i.e. hackers with powerful PCs can hack into just about any program/software? Is there some way to prevent this from happening?
Allright, first take a deep breath. You are probably not going to like some of my answers but you'll be living with the same issues that we all are.
The best thing to do in this case is to use something like the KeyChain plugin to retrieve your security keys from the native side.
You can take PhoneGap out of the question because it applies to any situation where you send unencrypted data between a client and server. Anyone can easily listen in using a number of tools including Wireshark or Ethereal. If you need to communicate with a sever it should be done on an encrypted, HTTPS or SSL, connection.
First I think you are under the mistaken impression that PhoneGap compiles your HTML/JS code into Obj-C. It does not. If the user uncompresses your app they will be able to read your HTML/JS. Also, they'll be able to decompile your Obj-C code as well. This does not take a powerful PC or even an experienced hacker. Pretty much anyone can do it.
My advice to you is not to worry about it. Put your time into creating a truly great app. The people who will pay for it will pay for it. The folks who decompile it would never buy the app no matter what. The more time you take trying to combat the hackers takes away from the time you could use to make your app greater. Also, most anti-hacking measures just make life harder for your actual users so in fact they are counter productive.
TLDR -
Consider that you are coding a website and all code ( html and js ) will be visible to user with
Crtl+Shift+i as in browsers
Some points for ensuring maximum security
If your using backend then recheck everything coming from the app
All attacks possible on websites (XSS, redicting to malacious webistes , cloning webistes, etc are possible )
All the data sent to the app will finally be available in some js variables / resource files , Since all variables are accessible by hacker so is all the data sent to app EVEN IF YOU ARE USING THE MOST SECURE DATA TRANSMISSION MECHANISMS
As Simon correctly said in his ans , phonegap or cordova does not convert html / js to native code . Html / Js is available as-it-is
Cordova also explicitly mentions this in their official statement
Do not assume that your source code is secure
Since a Cordova application is built from HTML and JavaScript assets that get packaged in a native container, you should not consider your code to be secure. It is possible to reverse engineer a Cordova application.
5.Mainly all the techniques which are used by websites to prevent their code from being cloned / easily understood are applicable even here (Mainly it includes converting js code into hard to read format - obfuscating code)
6.Comparing native apps with cordova/phonegap apps native apps , I would say that cordova are easier for hacker only because of lack of awareness between cordova developers who do not take enough measures to secure it and lack of readily available(one click ) mechanisms to directly obfuscate the code vs in android proguard
Sample Cordova App Hacking (NOTE:Phonegap also works in similar way)
I'll show an example to show how easy is it for hacker to hack a cordova app(where developer has taken no efforts in obfuscating the code )
basically we start with unzipping the apk files (apks can be unzipped like zip files )
The contents inside will be similar to this
The source code for cordova apps is present in /assets/www/ folder
As you can see all the contents including any databases that you have packed with the app are visible(see last 2 rows have a db file )
Along with it any other resources are also directly visible (text files/js / html/ audio / video / etc)
All the views / controllers are visible and editable too
Further exploring the contents we find a PaymentController.js file
Opening it we can directly see the js code and other comments
here we note that after user performs payment if it is successful then successCallback is called else cancelCallback is called.
Hacker can simply replace the two functions so that when payment is not successful successCallback is called .
In absence of other checks the hacker has successfully bypassed payment.
Related
I work in a company where we have many different applications. To reduce code repetition and keep the experience for the users the same across applications we created a component library which is used by all applications.
Now we want to allow the users to switch between applications. Something similar like Google does:
Screenshot of Google Application Drawer
An additional requirement for our "Application Switcher" would be that it "updates" itself. Meaning if we change how this "Application Switcher" looks we don't want all applications which use this Switcher to create a new deployment and be newly deployed.
So currently we use the same header (from our component library) in all our applications. So, my idea was just to simply add a script tag to all the index.html pages of all the applications which should support this "Application Switcher". The Script would parse the DOM, find the header and inject a component for this application switcher. I wanted to host the actual script from a CDN like server and the script tag in the index.html just references this URL. This way we could change this script however we want, and all the applications will always get the latest version.
Now I did a small proof of concept in our environments and solved all the CORS issues but since we were fetching from an authenticated context and the script was also in an authenticated context I always got a 401.
Additionally, we have the requirement, that this "Application Switcher" shows different applications to different users i.e. depending on which apps a user is allowed to access. So, the script itself will also do calls to an "Application Switcher" backend providing it user-specific information.
Now this makes me think that my initial idea of just putting a script tag and fetching from a CDN was too simplistic. Now I'm thinking if it would be better to implement a rest endpoint in all applications to fetch this script. This way I don't have the problems of fetching a resource from an authenticated context from the user's browser and instead can handle all of this in the backend.
So long story short; I feel like a complete noob who just hacks around to get things working (or actually not working) and was wondering if any of the smart internet people out there (who might actually already have experience with this) could give me a hint what would be a clean way to implement this?
As a newbie to meteor, I found lacking security is one of the first impressions people usually have due to meteor's historic debut and that meteor has taken measurements to address the concern. Therefore I pay more attention to this subject as I am learning it. When following the to-do list tutorial, I noticed, to my surprise, the if (Meteor.isServer) {} block is visible in browser. The tutorial dedicated 2 steps out of 12 to move client-side code to server-side to make it secure. But if server-side code is also visible in browser, isn't that defeated the whole purpose? How could meteor be a secure platform in that regard?
The tutorial is using this simple technique to start things quickly, but hopefully there is a built-in way to prevent server code being sent to the browser.
Every code that you put in the server directory won't be shipped to the client.
Likewise, source code living under the client directory only lives in the browser environment.
This is detailed in the docs section relative to "Structuring your app" :
http://docs.meteor.com/#/full/structuringyourapp
Given that a Cordova app can be plugged in and inspected, are apps inherently less secure that native compiled code? Or do just the same rules apply regarding what's kept in and a normal UIWebView?
After some further research:
In current versions of Cordova, an app compiled with a distribution license prevents web inspection.
Your IPA file can be browsed however, so your source code should not contain any sensitive information. Don't save personal info to the app's sandbox (documents://, localstorage, web directory) since any encryption methods would be easily discovered and reproduced. Save all sensitive information to a password protected API.
You could also use a custom Cordova plugin to get/set sensitive information. Best case would be to use a custom plugin to get/set information from a secure API server (hiding your API parameters).
Also, treat any HTML or JS that have sensitive values as toxic. Delete/Remove them as quickly as possible (including the jquery cache). Make a special effort to remove any and all sensitive info from the DOM when the app moves to the background.
TLDR; Built for production, the active state of your app can be considered as secure as anything in RAM, but you must save any and all sensitive information off the device or use a plugin to do the encryption/decryption.
Can someone explain to me the potential security vulnerabilities associated with having * for the Cordova/PhoneGap url whitelist i.e. allowing all urls?
I just read an article and I think you would be interesting on it. Just check it out:
http://www.nerdybeardo.com/2013/11/phonegap-xss-vulnerabilities-visited/
It just means that your app will trust all external hosts and be able to communicate with them. You'll just have to make sure that your app does not make it easy for users to follow links or input data that could be dangerous.
If you can get away with having to use * that would be best but if you are doing something like a RSS reader then I can't see any other way.
I work for an organisation that needs secure mobile apps and we've ruled out Phonegap / Cordova because of security concerns. Cordova provides a javascript API that allows you to control most of the phone's hardware and major OS components. A web view allows you to load script from anywhere that could then call those API's. Here's a simple example :-
My HTML5 Phonegap app embeds a web page from my forum site to provide some social content,
My forum site has poor controls against cross-site scripting,
A bad guy posts a forum post that embeds some javascript that calls the Cordova API's to get AddressBook contacts,
You view the post on my app and now the bad guy has all of your contacts.
The app itself or any content that it consumes could have an XSS vulnerability that makes the phone wide open.
There are also several other attacks that could be done on the phone itself, particularly if the phone is jailbroken and the JS content of the app can be modified.
Does anyone know of any article/publication on the security architecture of Metro app?
For example, can the metro app call an external service. If it can,
under what condition. Will it prompt the user first? And if so will
they be able to change their restriction later and how?
Cross domain scripting in a website is usually considered a big
no-no. But if I were to turn the same code into a metro app (since
presumably they're both written in Html 5 + js), does it mean I can
make ajax calls to any server irrespective of their domain? Is it
even possible to port a website into an app? If so how easy is that?
What about accessing local file system? Or does it have to go
through the contracts to do so?
And this is kind of related but if I were to write a website (not an
app). And the site was opened using Metro IE10, can it subscribe
into the metro specific js events? I guess I'm trying to figure out
how to save cost by doing as little development as possible. I
prefer a website that can target multiple platforms and only target
specific platform for the features that absolutely require it - also
not to thrilled with the idea of having to go through microsoft in
order to publish my app.
Any help appreciated.
Metro applications can call into web services located on other machines, but their ability to interact with the local machine is severely limited.
Similarly, accessing arbitrary parts of the local filesystem is not permitted. If your application has the documents (or music or photos) library permission, it can access the files in those libraries.