cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <bows...@gmail.com>
Subject [Android] SecureToken/NoFrak feature addition
Date Thu, 30 Jan 2014 23:16:19 GMT
Hey

So, to those of you in security circles, this isn't going to come as
any surprise, but it's time we opened up this can of worms:

We got this security advisory over the break, and because it was over
the holiday break, we didn't respond to it before it made it to
BugTraq!  As you probably already know, the whitelist doesn't actually
work on Android 2.3.x for any inline assets, including iFrames.  So,
those of you who are using HTML-based ads in your app need to stop
doing that ASAP! (I'm not kidding, the certificate pinning should have
been your first hint.)

Anyway, I propose we do the following:

* Drop support for Android 2.3.x - I don't care if it's 20% of the
market, if an insecure 20% and people need to stop targeting it
because of how insecure it is.  We can't fix it, and Google and
handset makers have no interest in fixing it either.  It's the IE6 of
Mobile, and Android 2.3.x needs to die.  (In hindsight, I feel bad for
giving a friend of mine my old HTC Desire HD. :( )
* Drop support for Cordova 2.9 - I think we're at the six month window
for this already, and we've only issued one point release after 2.9.0.
* Implement NoFrak as a configurable option for people who aren't
scared of the lack of certificate pinning
* Remove support for addJavascriptInterface for any platform that uses
NoFrak below Jellybean and force them to use prompt

Now, I started work on moving NoFrak to 3.x on my own personal fork
once the PoC author signed the ICLA, and you can find the branches on
my GitHub:

https://github.com/infil00p/cordova-android/tree/SecureToken
https://github.com/infil00p/cordova-js/tree/SecureToken

If we decide to do this, I'll copy the branch over to the official
cordova-android and cordova-js repos and we can work on that fork
there.  Right now it builds, but that's about it.  I haven't
re-written the exec method yet.  Since we're moving this from a 2.9.x
based version of Cordova to the current tree, there's probably a lot
of code that can be refactored and removed.  It also needs a lot of
cleanup, so any help with that would be awesome.

Also, we're going to need tests if we're going to add this as a
feature.  This is a lot of code, but it's probably a good idea to add
this.

Joe

Mime
View raw message