Recently Apache Cordova announced that iOS contains 2 methods to bypass the URL access restrictions provided by the whitelist. An attacker can use any of the 2 methods to load malicious resources in an app that uses a whitelist to only load trusted resources.
As i am new to Cordova, can anyone please provide information how much the above issue will impact the existing application and how.I am using Cordova ios version 3.5.0.
Like it says in the link, this problem allows to inject malicious code into your app, as this involve plugins invocations. This can be used to retrieve all the information that you can extract from your app.
This only can be performed through external links, you if you dont have links to external websites, or paths that you are not controlling, you are protected.
Also, I don't know about the extension of this backdoor, and maybe few people know it, but if you want to be sure, just update to the latest version of cordova-ios.
Related
I'm building an iOS app for a company whose website currently makes use of an embedded webpage for login/account creation. This embedded webpage handles some cryptographic logic that is complex to replicate. On the web, they restrict what external webpages can load the embedded webpage by checking the origin, so that only whitelisted domains can load it (e.g. third party company's webpages).
Ultimately they want to make a native version of this login for mobile, but for v1 are considering just embedding the webpage to avoid rushing the API/client side encryption. But they would need the same ability to restrict where it can be embedded.
Is it possible to get the bundle id/app id of the mobile app requesting the page, in a way that can't be modified programmatically e.g. I can't just add a header, because any app could just add the same header. I'm also looking to avoid hardcoding any credentials in the source code.
Youtube has a similar functionality to what i'm looking for, giving the option to restrict video embedding by bundle id. But says its currently not available to iOS apps: https://support.google.com/youtube/answer/6301625?hl=en
However tools like google's OAuth dashboard, require inputting the iOS apps bundle id when setting up an app. Which makes me think it is possible. But experimenting with Charles proxy and WKWebView or SFSafariViewController didn't result in it being sent up by the system. Is there anyway for a website, either through initial load or redirects etc, to get the bundle-id in a safe way?
My iOS app currently offers users the option to log in and sign up with their LinkedIn accounts. I am using this project for the LinkedIn log and OAuth: LinkedInOAuth
With the update to iOS 9, my app now occasionally crashes, when a user attempts to log in through LinkedIn using that project, with a runtime exception of WebThread(18): EXC_BAD_ACCESS(code=1, address=0x8)
To resolve this occasional crash, I turned to an updated version of the project I was using that conforms to ios 9 and linkedin's ios 9 SDK.
The issue is that while this new project has solved the WebThread crashing, it now requires users to download LinkedIn's app (if they don't have it) in order to log in to my app with LinkedIn.
The previous project never had such requirements and would present a webview that allowed anyone with a linkedin account to log in.
My question is am I wondering if it is possible to authenticate with LinkedIn in ios 9 without requiring the user to download the mobile app? My hopes are that it is possible to update the old project to conform to ios 9 while simply presenting a webvew. Thank you!
We only discussed this last week (at the time your question didn't have an answer, but happy to update you now—that is, if you haven't solved this in the meantime).
After scouring several sources I came across this:
Mobile vs server-side access tokens
Presently, there is no mechanism available to exchange them. If you
require tokens that can be used in both the mobile and server-side
environment, you will need to implement a traditional OAuth 2.0
solution within your iOS environment to acquire tokens that can be
leveraged in both situations.
from: https://developer.linkedin.com/docs/ios-sdk-auth
The premise being that via mobile solutions, they offer single sign-on thru their app. This works, but requires their app. Apple's approval process has swung both ways on this, and it appears that it is a flip of the coin as to whether they will allow this or not (the requirement of a third party app). #AroundThen didn't have any luck and his app was rejected due to the requirement, however, other users* have indicated Apple weren't adverse to it in their application processes.
Alternatively, their is the web logon process using OAuth2. This is pretty stock for their non-mobile solutions. Currently sharing the tokens between mobile and web solutions is not a default and if you want to share the same token their solution is that that is listed above.
In essence (and copied from my other answer here):
You can test for the presence of the linked-in app:
if it is not there: implement OAuth2 directly through your app
if it is there: use it or your OAuth2 implementation (which you'd probably err on the side of using their app for the link-ability between any features of the app you may need in yours).
Thereby avoiding the REQUIREMENT to have the app installed, but utilising it if it is.
This suggests that authentication away from the app is supported.
Reportedly, #AroundThen has had success with this process.
Good luck!
*1 I'm currently having trouble finding his post, but basically he provided login credentials that Apple attempted to use, but had locality issues and hence couldn't get in, but it was inferred they may have approved it if they had of.
Is it possible to use the AWS mobile services (Cognito, Analytics, etc) without linking all the SDK in an Xcode project?
Background:
* While I am not new to AWS nor mobile programming, the following case is challenging:
We are shipping a mobile "framework" (not app) that uses our AWS for some parts (Authentication, logs).
And, as the AWS SDK has to be linked in the app project itself, this will require us asking all the clients (developers) to download and link it in their own projects.
What is used in the framework is just one request for authentication and one for logging (success/failure, disconnection), so no need for all the SDK.
I wonder if there is a possibility to request AWS services without linking against the SDK?
I know it's possible to put then under an umbrella SDK, or do some cherry picking from their git repository, but both of these seem like overkill.
As the request itself is a simple URL with Get/Post, is there a possibility (or tutorial) on constructing the request manually via NSURLConnexion/NSURLSession, etc?
Thank you
Talking to the AWS APIs is actually not that hard. The main difficulty is signing your http requests, and that's not nearly as bad as it sounds. Which leaves xml parsing accounting for most of the unpleasantness.
I've done it in go. The most informative part is probably the signing tests.
Indeed, it is possible. You will have to code calls to AWS at the REST level. Everything you need is in the documentation of AWS.
For instance, if you needed to execute actions on EC2, here's what you'd have to code:
http://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html#structure-of-a-get-request
You can call the HTTP APIs directly. Since the AWS Mobile SDK for iOS and Android are open source, you can look at them directly. Find the AWS Mobile SDK for iOS Source on Github, and the AWS Mobile SDK for Android on Github. Since you mentioned you need authentication request on iOS I am guessing you're looking for the Cognito Identity in AWSCore source.
I am looking to create a basic site which allows users to login (either through email or facebook authentication) and post their photos for other users of the site to comment on. Much like with like Facebook, I wanted posting, deletion and viewing photos/comments to be possible through an iOS app and through the site itself.
I have been carrying out a bit of research myself, and I can there being the following options:
Create a site in Django, and use the API framework Tastypie to allow the user to use the get/post/delete commands from an iOS app
Create a site fully in Django, and make this compatible with iOS devices using PhoneGap
Do you have advice on what approach to take - and whether there are alternatives?
It all depends. Do you need hardware functionality that only ios can provide?? If not it would probably be easier to create a web api and build a mobile optimized version of the site. This would let you build your business logic quickly in python. you could them build the client using jquery. This would provide the advantage of being optimized for any mobile device.
Is there a recommended way to remove access to unneeded PhoneGap APIs?
For example our app does not need to access the contact database.
With normal web pages, an XSS vulnerability is sandboxed to only affect one site (the browser prevents any contagion to other sites). With a PhoneGap application, by default, an XSS vulnerability can access the contacts list or any other part of the PhoneGap API.
I want to avoid the Skype situation where an XSS vunerability in Skype allowed an attacker to copy the address books of their users: http://www.macnn.com/articles/11/09/20/users.address.books.could.be.copied/
In your app, under PhoneGap.plist/Plugins, remove any rows for plugins that are not needed - this will remove access from JavaScript.
PhoneGap is Open Source. You could make your own copies of the PhoneGap.js files with those functions disabled (put return false; as the first line of the function or something).
On Android you can do it with the permissions in the AndroidManifest.xml file, but as far as I know, there is not such feature for iOS.