cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bas Bosman" <m...@nazgul.nu>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 16:57:34 GMT
>> >> * Drop support for Android 2.3.x - I don't care if it's 20% of the
>> >> market, if an insecure 20% and people need to stop targeting it
>> >> because of how insecure it is.  We can't fix it, and Google and
>> >> handset makers have no interest in fixing it either.  It's the IE6 of
>> >> Mobile, and Android 2.3.x needs to die.  (In hindsight, I feel bad
>> >> for giving a friend of mine my old HTC Desire HD. :( )
Because 20% is still a rather large number I would not be in favor of
dropping support for 2.3.x. Looking at my apps it's even closer to 30%. I
would be in favor though of having 2.3.x support switched off by default,
where people developing apps using Cordova have to explicitly turn that
support on and we can give them good documentation on what that will mean
and how to mitigate risks where possible.

>> >   2. Use a shared secret to authenticate communication across the
>> > bridge  (this is a good idea, probably on all platforms -- I
>> > think there may be better ways of doing this though)
>> I like how NoFrak hijacks localStorage to do it.  If I didn't, I
>> wouldn't recommend we use it. :P
>>
> What's the reason for doing this? E.g. we could
> 1 - Have JS create a random # on start-up
> 2 - Have JS tell the native side the number
> 3 - Have the native side ignore any exec calls that doesn't include that
> number.
>
> Does using localstorage do something more?

LocalStorage leverages the browserÂ’s same origin policy to ensure that
content from other origins cannot read the token and thus cannot access
the bridge. If we use vanilla JS there is nothing stopping the malicious
code from reading the random # itself before calling the bridge.

Bas



Mime
View raw message