What are the potential security vulnerabilities associated with the cordova / phone

Question

Can someone explain to me the potential security vulnerabilities associated with having * for the Cordova/PhoneGap url whitelist i.e. allowing all urls?

Answer 1

I just read an article and I think you would be interesting on it. Just check it out:

http://www.nerdybeardo.com/2013/11/phonegap-xss-vulnerabilities-visited/

Answer 2

I work for an organisation that needs secure mobile apps and we've ruled out Phonegap / Cordova because of security concerns. Cordova provides a javascript API that allows you to control most of the phone's hardware and major OS components. A web view allows you to load script from anywhere that could then call those API's. Here's a simple example :-

1. My HTML5 Phonegap app embeds a web page from my forum site to provide some social content,
2. My forum site has poor controls against cross-site scripting,
3. A bad guy posts a forum post that embeds some javascript that calls the Cordova API's to get AddressBook contacts,
4. You view the post on my app and now the bad guy has all of your contacts.

The app itself or any content that it consumes could have an XSS vulnerability that makes the phone wide open.

There are also several other attacks that could be done on the phone itself, particularly if the phone is jailbroken and the JS content of the app can be modified.

Answer 3

It just means that your app will trust all external hosts and be able to communicate with them. You'll just have to make sure that your app does not make it easy for users to follow links or input data that could be dangerous.

If you can get away with having to use * that would be best but if you are doing something like a RSS reader then I can't see any other way.