Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cordova.apache.org
Received-SPF: pass (athena.apache.org: local policy includes SPF record at
 spf.trusted-forwarder.org)
Message-ID: <53880869.2010008@tmbsw.com>
Date: Thu, 29 May 2014 23:26:17 -0500
From: "Terence M. Bandoian" <terence@tmbsw.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: dev@cordova.apache.org
Subject: Re: Android Plugin API
References: 
 <CAOBL_k7SNEFpZWF7WkOk5NL2WONhu0uEVNJCKiadA=bjeb0BtA@mail.gmail.com>
In-Reply-To: 
 <CAOBL_k7SNEFpZWF7WkOk5NL2WONhu0uEVNJCKiadA=bjeb0BtA@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit

Please correct me if I'm wrong but, as I understand it, the 
vulnerability stems from injecting a Java object into the WebView which, 
in API levels 16 and below, exposed all of the public methods of the 
object (small 'o') including the methods inherited from the Object class.

-Terence Bandoian


On 5/28/2014 9:54 AM, Joe Bowser wrote:
> In case anyone is curious, here's why we minimize reflection:
>
> https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
>
> On Wed, May 28, 2014 at 7:33 AM, Andrew Grieve <agrieve@chromium.org> wrote:
>> Another reasonable approach would be to use a Map<String, Runnable>, but
>> that can be implemented on top of what is currently exposed. I'm quite wary
>> of Reflection as well.
>>
>>
>> On Wed, May 28, 2014 at 10:06 AM, Joe Bowser <bowserj@gmail.com> wrote:
>>
>>> The execute command exists for security reasons.  We don't want any
>>> methods other than execute exposed to Javascript.  I also prefer this
>>> approach because it is less prone to less catastrophic bugs than using
>>> Java reflection.  We try and only use reflection when we have to.
>>>
>>> On Wed, May 28, 2014 at 5:50 AM, Erik Jan de Wit <edewit@redhat.com>
>>> wrote:
>>>> Hi,
>>>>
>>>> When one is writing a plugin for android ATM the api that you have to
>>> implement has a execute method that has the action as a string:
>>>> @Override
>>>>      public boolean execute(String action, JSONArray args,
>>> CallbackContext callbackContext) throws JSONException {
>>>>          if ("beep".equals(action)) {
>>>>              this.beep(args.getLong(0));
>>>>              callbackContext.success();
>>>>              return true;
>>>>          }
>>>>          return false;  // Returning false results in a "MethodNotFound"
>>> error.
>>>>      }
>>>> When you have multiple actions this method gets very long, if you
>>> compare this with iOS here you don�t need a method like this you could
>>> �just� implement the method directly:
>>>> - (void)beep:(CDVInvokedUrlCommand*)command
>>>>      {
>>>>          CDVPluginResult* pluginResult =il;
>>>>          NSString* myarg =command.arguments objectAtIndex:0];
>>>>
>>>>          if (myarg !=il) {
>>>>              pluginResult =CDVPluginResult
>>> resultWithStatus:CDVCommandStatus_OK];
>>>>          } else {
>>>>              pluginResult =CDVPluginResult
>>> resultWithStatus:CDVCommandStatus_ERROR messageAsString:@"Arg was null"];
>>>>          }
>>>>          [self.commandDelegate sendPluginResult:pluginResult
>>> callbackId:command.callbackId];
>>>>      }
>>>> We could do the same thing for android if we use reflection, making the
>>> API more similar and removing all the string test by the user. What do you
>>> think?
>>>> Cheers,
>>>>          Erik Jan