0

How much has phonegap been hardened against attackers? Especially XSS flaws in our own pages, where the PhoneGap API is exposed to an unknown attacker.

For example, is the PhoneGap.exec() command secure on the iPhone?

From JavaScript, the PhoneGap.exec command worries me e.g. PhoneGap.exec(successCB, errorCB, "com.phonegap.contacts","search", [{"fields":fields, "findOptions":options}]); (JavaScript for iPhone target copied from here). The exec command should in theory be restricted, and should only be able to access PhoneGap API classes (com.phonegap.contacts in this example) and methods (e.g. search in this example).

If there is an XSS vunerability in our app then any attacker has an expanded attack surface compared with running in just the browser sandbox. The end user's phone is exposed to to any vulnerabilities in PhoneGap that could allow an attacker to gain access to privileged ObjectiveC code/api's. The only documentation I could find on PhoneGap security was this.

robocat
  • 5,293
  • 48
  • 65
  • 1
    Not a PhoneGap/Security expert but all iOS applications run in their own security sandbox regardless of implementing platform. This should limit the exposure of any PhoneGap specific security holes. http://developer.apple.com/library/ios/#documentation/iphone/conceptual/iphoneosprogrammingguide/RuntimeEnvironment/RuntimeEnvironment.html – Perception Sep 27 '11 at 05:20
  • Relates to android - but may be relevant: http://groups.google.com/group/phonegap-dev/browse_thread/thread/1049124ad37abacb – robocat Oct 05 '11 at 05:26
  • Here is an example of an XSS attack against Skype: http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/ – robocat Feb 10 '12 at 01:46
  • Here is an analysis (possibly outdated) for Android: https://labs.mwrinfosecurity.com/blog/building-android-javajavascript-bridges/ – robocat Feb 23 '16 at 03:16

2 Answers2

1

You can control API access by modifying PhoneGap.plist/Plugins and removing any un-needed ones.

With PhoneGap 1.1 (coming soon) - there is a white-list feature (in PhoneGap.plist/ExternalHosts) where only certain external urls can be connected to - either in JavaScript or Objective-C.

Shazron
  • 2,446
  • 1
  • 18
  • 30
  • If you copy that answer over to http://stackoverflow.com/questions/7564533/how-to-disable-phonegap-apis-functionality I can accept your answer since it answers that question exactly! I am not sure it answers the above question :) Thanks – robocat Oct 04 '11 at 00:05
  • OOoops - just realised I am asking you to do what you have already done - duhhh! Now ticked. – robocat Oct 04 '11 at 01:09
0

This talks about a Cordova/PhoneGap security issues:

http://packetstormsecurity.com/files/124954/apachecordovaphonegap-bypass.txt

"The following email was sent to Apache Cordova/PhoneGap on 12/13/2013, and again on 1/17/2014. As there has been no response, we are re-posting it here to alert the general public of the inherent vulnerabilities in Apache Cordova/PhoneGap." would also concern me if it is true.

On Android if PhoneGap uses addJavascriptInterface() for the bridge, then that has serious security implications:

http://www.droidsec.org/news/2014/02/26/on-the-webview-addjsif-saga.html

robocat
  • 5,293
  • 48
  • 65