cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <>
Subject Re: So...can we merge 4.0.x into master yet?
Date Sun, 25 Jan 2015 17:03:40 GMT
On Sun Jan 25 2015 at 8:34:22 AM Ross Gerbasi <> wrote:

> If I am missing something please let me know but from what I can tell the
> exploit is triggered via some kind of harmful code being executed inside
> the webview. This could come from a button click, or link to some site, or
> maybe somehow someone spoofs a trusted source and actually delivers code
> from a bad source.

That's correct.  The thing is that this is trivially easy to do with
Android code.  If someone installs a Cordova app from a third-party source,
or even from an app store before the harmful app is taken down, they could
be compromised.

> Something like that. I would think most cordova
> applications are self contained sites. So all the requests end up pulling
> local html/js files from the device. Injecting some kind of bad code into
> the application isn't really an option here without some other kind of
> hackery.

You'd think, but we've had this discussion before about NoFrak, third-party
ad code, and third-party cookies.  The more we keep saying that this is the
case, and that people who create cordova apps would be stupid to trust
third-party code, the more we have people do it.  Now, I think there's a
balance between the two viewpoints, and we have to find it.

I think this is more of a concern with corporate applications that are
side-loaded than apps from the Play Store.  Given that alone we should at
least try and address it by releasing 4.0.x.  That still doesn't address
all the things, but it at least gives some options.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message