cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Clelland <>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 13:14:19 GMT
On Thu, Jan 30, 2014 at 6:16 PM, Joe Bowser <> wrote:

> Anyway, I propose we do the following:
> * Drop support for Android 2.3.x - I don't care if it's 20% of the
> market, if an insecure 20% and people need to stop targeting it
> because of how insecure it is.  We can't fix it, and Google and
> handset makers have no interest in fixing it either.  It's the IE6 of
> Mobile, and Android 2.3.x needs to die.  (In hindsight, I feel bad for
> giving a friend of mine my old HTC Desire HD. :( )


> * Drop support for Cordova 2.9 - I think we're at the six month window
> for this already, and we've only issued one point release after 2.9.0.


If we do this, we'll need to be very clear to the community that it's
unsupported, and specifically that it isn't receiving any security updates
at all from this point on.

> * Implement NoFrak as a configurable option for people who aren't
> scared of the lack of certificate pinning

We should be clear about exactly what this means -- I'm uncomfortable with
just "implement NoFrak" as a goal; it's not a phrase that means anything.
I'd split this into a couple of proposals:

  1. Remove the Cordova Whitelist (not really cool with that, especially on
other platforms -- if an app wants to do it, that's what origin="*" is for)
  2. Use a shared secret to authenticate communication across the bridge
(this is a good idea, probably on all platforms -- I think there may be
better ways of doing this though)
  3. Use the <access> tags in config.xml to determine what domains get to
use the bridge (??? That's not what they're for)
  4. Remove the ability for the client to choose the bridge interface (also
a good idea)

I'm +1 on 2&4 here, -1 on 1&3.

> * Remove support for addJavascriptInterface for any platform that uses
> NoFrak below Jellybean and force them to use prompt

So this covers APIs 11-14 (Honeycomb 3.0 to ICS 4.0.4). Do you mean that we
remove addJavascriptInterface for all of those versions? I'm not sure what
"any platform that uses NoFrak below Jellybean" means.

I don't know enough about the reasons for the different bridges to know
whether this is a good idea or not.

> Now, I started work on moving NoFrak to 3.x on my own personal fork
> once the PoC author signed the ICLA, and you can find the branches on
> my GitHub:
> If we decide to do this, I'll copy the branch over to the official
> cordova-android and cordova-js repos and we can work on that fork
> there.  Right now it builds, but that's about it.  I haven't
> re-written the exec method yet.  Since we're moving this from a 2.9.x
> based version of Cordova to the current tree, there's probably a lot
> of code that can be refactored and removed.  It also needs a lot of
> cleanup, so any help with that would be awesome.
> Also, we're going to need tests if we're going to add this as a
> feature.  This is a lot of code, but it's probably a good idea to add
> this.
> Joe

Sorry to complicate things :)

If we're doing this, I'm more than willing to help out; security is
important. Let me know what I can help you with.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message