Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4337310C7E for ; Fri, 31 Jan 2014 16:58:02 +0000 (UTC) Received: (qmail 21643 invoked by uid 500); 31 Jan 2014 16:58:01 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 21578 invoked by uid 500); 31 Jan 2014 16:58:01 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 21567 invoked by uid 99); 31 Jan 2014 16:58:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 16:58:01 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [81.171.37.248] (HELO mail.colokoe.net) (81.171.37.248) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 16:57:56 +0000 Received: from mail.colokoe.net (localhost [127.0.0.1]) by mail.colokoe.net (Postfix) with ESMTP id 4C3882E133; Fri, 31 Jan 2014 17:57:34 +0100 (CET) Received: from webmail2.colokoe.net (localhost [127.0.0.1]) by mail.colokoe.net (Postfix) with ESMTP id 840EA2E0AE; Fri, 31 Jan 2014 17:57:30 +0100 (CET) Received: from 86.89.125.18 (SquirrelMail authenticated user mail@nazgul.nu) by webmail2.colokoe.net with HTTP; Fri, 31 Jan 2014 17:57:34 +0100 Message-ID: In-Reply-To: References: Date: Fri, 31 Jan 2014 17:57:34 +0100 Subject: Re: [Android] SecureToken/NoFrak feature addition From: "Bas Bosman" To: dev@cordova.apache.org Cc: "bowserj@apache.org" Reply-To: mail@nazgul.nu User-Agent: SquirrelMail/1.4.21 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-AV-Checked: ClamAV using ClamSMTP X-Virus-Checked: Checked by ClamAV on apache.org >> >> * Drop support for Android 2.3.x - I don't care if it's 20% of the >> >> market, if an insecure 20% and people need to stop targeting it >> >> because of how insecure it is. We can't fix it, and Google and >> >> handset makers have no interest in fixing it either. It's the IE6 of >> >> Mobile, and Android 2.3.x needs to die. (In hindsight, I feel bad >> >> for giving a friend of mine my old HTC Desire HD. :( ) Because 20% is still a rather large number I would not be in favor of dropping support for 2.3.x. Looking at my apps it's even closer to 30%. I would be in favor though of having 2.3.x support switched off by default, where people developing apps using Cordova have to explicitly turn that support on and we can give them good documentation on what that will mean and how to mitigate risks where possible. >> > 2. Use a shared secret to authenticate communication across the >> > bridge (this is a good idea, probably on all platforms -- I >> > think there may be better ways of doing this though) >> I like how NoFrak hijacks localStorage to do it. If I didn't, I >> wouldn't recommend we use it. :P >> > What's the reason for doing this? E.g. we could > 1 - Have JS create a random # on start-up > 2 - Have JS tell the native side the number > 3 - Have the native side ignore any exec calls that doesn't include that > number. > > Does using localstorage do something more? LocalStorage leverages the browser�s same origin policy to ensure that content from other origins cannot read the token and thus cannot access the bridge. If we use vanilla JS there is nothing stopping the malicious code from reading the random # itself before calling the bridge. Bas