0

I've been noodling on this idea for a while, but I'm wondering if there are security ramifications.

Basically PhoneGap is just HTML5 running within a navite app web browser. (My particular app uses JQuery Mobile to help with the GUI) I've been thinking about adding the ability to "pull" javascript and HTML updates to the app, so I don't have to go through the App Store every time. To give a specific example:

Let's say I submit MyApp v1.0 to the App Store and Apple approves it. It then turns out that one of my buttons in the app are broken.

Normally I'd have to fix the button, resubmit to Apple and wait a week for them to approve it.

But what if I had my app always ping the server on startup and check for executable javascript patches? My app could simply pull down a sniplet of code like:

$("#mybutton").click(function(event) { 
    event.stopPropagation();
    // Here is the right thing to do... 
}

As long as this "patch" code is executed at the appropriate time and in the appropriate way, I don't see why it wouldn't work. It would also work great to communicate system outages, etc.

My concern, however, is security. Grabbing some dynamic code from the outside world and executing it blindly sounds scary. Can I trust that if my patch grabber always hits a specific HTTPS URL on my server, that that response is safe to execute? Or could a 'hacker' somehow intercept that patch call and feed in their own malicious javascript?

Anthony
  • 5,275
  • 11
  • 50
  • 86
  • 1
    As popular as restful APIs are, as long as you are using common conventions when it comes to security (referrer checking, time stamp validation, tokens, etc) you should be fine. Every API I would think it somewhat vulnerable to attack but that is what security checks are for. – Leeish Feb 24 '13 at 01:12
  • 1
    This could certainly work, but you might just as well find yourself rejected by Apple since you are trying to avoid their approval process. See the answer to http://stackoverflow.com/questions/12460603/ios-auto-updates for example. – Karl-Johan Sjögren Feb 24 '13 at 01:59
  • @Karl-JohanSjögren That's a fair point. On the opposite end, I doubt Apple would even be able to detect it. I can totally imagine their suite of tools set up to evaluate the binary code of an app, but not so much the HTML/JS referenced within resources. Also, I don't think there is much conceptual difference in my code grabbing javascript from an API and running it vs including a – Anthony Feb 24 '13 at 21:50
  • @Leeish I agree! Thanks for the feedback; just wanted a second opinion before I went forward. If you want to post your reply as an answer, I'll flag it. – Anthony Feb 24 '13 at 21:51

0 Answers0