0

Is there a recommended way to remove access to unneeded PhoneGap APIs?

For example our app does not need to access the contact database.

With normal web pages, an XSS vulnerability is sandboxed to only affect one site (the browser prevents any contagion to other sites). With a PhoneGap application, by default, an XSS vulnerability can access the contacts list or any other part of the PhoneGap API.

I want to avoid the Skype situation where an XSS vunerability in Skype allowed an attacker to copy the address books of their users: http://www.macnn.com/articles/11/09/20/users.address.books.could.be.copied/

robocat
  • 5,293
  • 48
  • 65

2 Answers2

2

In your app, under PhoneGap.plist/Plugins, remove any rows for plugins that are not needed - this will remove access from JavaScript.

Shazron
  • 2,446
  • 1
  • 18
  • 30
  • I don't see anything pertaining to Contacts (or much else) in PhoneGap.plist. Is it something that needs to be added? – Jason Dean Sep 28 '11 at 02:06
0

PhoneGap is Open Source. You could make your own copies of the PhoneGap.js files with those functions disabled (put return false; as the first line of the function or something).

On Android you can do it with the permissions in the AndroidManifest.xml file, but as far as I know, there is not such feature for iOS.

Jason Dean
  • 9,585
  • 27
  • 36