Is there a recommended way to remove access to unneeded PhoneGap APIs?
For example our app does not need to access the contact database.
With normal web pages, an XSS vulnerability is sandboxed to only affect one site (the browser prevents any contagion to other sites). With a PhoneGap application, by default, an XSS vulnerability can access the contacts list or any other part of the PhoneGap API.
I want to avoid the Skype situation where an XSS vunerability in Skype allowed an attacker to copy the address books of their users: http://www.macnn.com/articles/11/09/20/users.address.books.could.be.copied/
In your app, under PhoneGap.plist/Plugins, remove any rows for plugins that are not needed - this will remove access from JavaScript.
PhoneGap is Open Source. You could make your own copies of the PhoneGap.js files with those functions disabled (put return false; as the first line of the function or something).
On Android you can do it with the permissions in the AndroidManifest.xml file, but as far as I know, there is not such feature for iOS.
Related
I'm building an iOS app for a company whose website currently makes use of an embedded webpage for login/account creation. This embedded webpage handles some cryptographic logic that is complex to replicate. On the web, they restrict what external webpages can load the embedded webpage by checking the origin, so that only whitelisted domains can load it (e.g. third party company's webpages).
Ultimately they want to make a native version of this login for mobile, but for v1 are considering just embedding the webpage to avoid rushing the API/client side encryption. But they would need the same ability to restrict where it can be embedded.
Is it possible to get the bundle id/app id of the mobile app requesting the page, in a way that can't be modified programmatically e.g. I can't just add a header, because any app could just add the same header. I'm also looking to avoid hardcoding any credentials in the source code.
Youtube has a similar functionality to what i'm looking for, giving the option to restrict video embedding by bundle id. But says its currently not available to iOS apps: https://support.google.com/youtube/answer/6301625?hl=en
However tools like google's OAuth dashboard, require inputting the iOS apps bundle id when setting up an app. Which makes me think it is possible. But experimenting with Charles proxy and WKWebView or SFSafariViewController didn't result in it being sent up by the system. Is there anyway for a website, either through initial load or redirects etc, to get the bundle-id in a safe way?
I'm not sure there is a "proper" way, but before I just bodge together my own incompatible implementation, perhaps there's something in all the standards that can fit my need?
Here's the situation: Apple has declared that apps on their phones MUST include all standard functionality inside themselves. No more iframes with web content! If you need to show stuff from web, open the system browser (Safari)! Unfortunately we need to display stuff from web, so here we go...
Now, the app requires authentication which the user has done previously. We store whatever tokens we need. When the time comes to open the browser, we don't want to force the user to re-authenticate. We need to somehow pass the access credentials to the browser, and preferably do this securely. Furthermore, the webpage in the browser will need a token obtained from our OpenID Connect server.
Unfortunately, the only point of communication between the app and the browser is the URL, so everything that we give will be there, in plain sight. I know that OAuth was pretty worried about this, so much so that they made it impossible to intercept authentication with just the stuff visible on the screen and instead using things like single-use intermediary codes, backchannels and PKCE.
Unfortunately I cannot see any way to use the default flows "out of the box" to achieve what I need. I can think of modifications to those flows that would do it, but I'm not a security expert so I'd rather go with something standard which is vetted by experts.
SCENARIO
It's a good question since many companies want to show existing web content in a secured manner within a mobile app, and to avoid an extra login.
WEB + MOBILE INTEGRATED SOLUTION VIA DISCONNECTED BROWSER?
Ideally what you want to do is pass the mobile app's JWT to the external web content in an HTTP header. iOS APIs such as openURL may not support this however.
You may have to pass a JWT in a query string, in which case I would try to follow a signed request model, though it is not trivial. I have used SalesForce signed requests though not implemented a full solution myself.
Mobile app calls an API method at POST /api/encrypt-token
API returns an encrypted payload that includes the JWT
Mobile app opens a web page at https://mywebapp?token=0a78904cwdu
Web UI calls POST /api/decrypt-token to get the JWT
Web UI stores the token in memory and uses it to call the API
You will want to prevent raw tokens being written to web server logs.
I believe the recommendation for this type pf solution is to use a one time key, as described in the above link. And of course the web session will have some limitations such as silent token renewal not working.
WEB + MOBILE INTEGRATED SOLUTION VIA WKWEBVIEW
In the past I've managed secured web content in a mobile app by making the Web UI get access tokens from the mobile app. This enables an integrated UX and you can use a 'standard as possible' OAuth solution.
When the Web UI runs within a mobile app's web views it no longer does its own OAuth handling and instead calls the mobile app to get tokens and trigger logins
This means there is a single login across web and mobile views, and the Web View gets all the benefits of mobile user experience, such as secure storage of tokens
The Web UI is no longer impacted by things like the web view aggressively dropping cookies
VALID USE OF WEB VIEWS?
Web views are probably not a good long term solution in most cases. I know that Apple are likely to reject apps in 2020 if they use any of these behaviours:
Use of UIWebView - the Cordova default - you need to update to WKWebView
Delivering an app that is solely a repackaged web site with no mobile views
Displaying web content of a dubious nature (ads etc)
I suspect that use of WKWebView used responsibly and justifiably would be accepted. I could be wrong though, so please don't take my word for it.
ONLINE SAMPLES
I will be documenting some stuff about mobile / web integration on my OAuth blog, including code samples.
What would be the best way to obtain an AAD token from an electron app?
Microsoft has 2 javascript authentication libraries: adal.js and msal.js.
Both are designed for browsers and not native Electron apps (For example - AAD won't allow for file:/// scheme as a reply URL).
Sounds like a long term solution would be native AAD packages (like Microsoft built for Apache Cordova), but since that's probably not going to happen any time soon, what is the best short-term option?
Azure Storage Explorer is a good example of an Electron app that does this. It even allows for being logged into multiple AAD accounts at the same time.
You might be able to check out what's going on in the app's dev tools. I've had a poke around and it looks like it uses adal-node npm package instead of the browser based js libraries.
It also looks like it uses an authorization code flow for obtaining tokens.
The Azure AD doesn't support the file protocol as the reply address. To develop the single page application, you can host it on the server and using the server URL as the reply address.
Recently Apache Cordova announced that iOS contains 2 methods to bypass the URL access restrictions provided by the whitelist. An attacker can use any of the 2 methods to load malicious resources in an app that uses a whitelist to only load trusted resources.
As i am new to Cordova, can anyone please provide information how much the above issue will impact the existing application and how.I am using Cordova ios version 3.5.0.
Like it says in the link, this problem allows to inject malicious code into your app, as this involve plugins invocations. This can be used to retrieve all the information that you can extract from your app.
This only can be performed through external links, you if you dont have links to external websites, or paths that you are not controlling, you are protected.
Also, I don't know about the extension of this backdoor, and maybe few people know it, but if you want to be sure, just update to the latest version of cordova-ios.
The documentation at https://developers.google.com/console/help/new/#generatingdevkeys states that:
Create and use an iOS key if your application runs on iOS devices. Google verifies that each request originates from an iOS application that matches one of the bundle identifiers you specify. An app's .plist file contains its bundle identifier. Example: com.example.MyApp
Does this mean that the google APIs (server-side) somehow verify/ensure that only my app can use this key? Or, does it just mean that the iOS libraries that google provides will do a sanity check before accepting the api-key? Is there anything to prevent a malicious user from decompiling my iOS app and re-using this api-key within his own app (making direct HTTP calls without using google iOS libraries)?
Extending this to the api-key used in browsers - the only protection seems to be the Referer check against a whitelist of domains. Is there anything stopping a malicious app developer from taking my api-key from the browser and using it within his native app (which sets a fraudulent Referer header)?
So basicly you are correct the api key is mendetory because only you/your app should have access. But the fact is that everyone with your api key is can have access. And the play store has a big issue with not hidden api keys
http://www.cnet.com/news/thousands-of-secret-keys-found-in-android-apps/
for the second question I have no Idea sorry