Since the InAppBrowser is designed to load untrusted code, it seemed like an interesting component to review. I’ll focus on the iOS implementation, because the vulnerability I identified was specific to the iOS implementation. The CDVInAppBrowser class acts as a UIWebViewDelegate and overrides the webView:shouldStartLoadWithRequest:navigationType: method in order to intercept page loads within the plug-in’s WebView. Overriding this method is commonly performed within iOS applications since developers often want to define a custom URI schemes within a WebView. By reviewing the following Objective-C code from the InAppBrowser plug-in, it is clear that the plug-in defines a gap-iab URI scheme in order to pass back information to the trusted Cordova WebView via a callback function.
For example, the following URL loaded into the InAppBrowser’s WebView would trigger the functionality.
So far we know the following.
Given that it is common to encounter Cordova/PhoneGap applications that use older versions of the framework, and plug-ins, these vulnerabilities might stick around for awhile, but the important point to make here is that the specific plug-ins used within a Cordova application can have a large impact on security. Besides the core plug-ins, developers often graft together mobile applications using third-party plug-ins, which may introduce additional security vulnerabilities. Luckily most of the plug-ins are open source and available on GitHub, so we can easily review them for security issues during assessments.
Cigital is one of the world’s largest application security firms. We go beyond traditional testing services to help our clients find, fix and prevent vulnerabilities in the applications that power their business.
Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications.
Gary McGraw discusses the security risks of dynamic code
The Cathedral and the Bazaar of Software Security Vulnerabilities
Serving Resources Over SSL With CSP Upgrade-Insecure-Requests
Integrating Touch ID into your iOS applications
The Security Risks of Dynamic Code @cigitalgem | sws.ec/1MXbRt1 pic.twitter.com/oERGOxBFdf
August 27, 2015 11:13 am
A Deficit In Security Spending Has Led To A Massive Security Debt via @stiennon @ForbesTech | sws.ec/1WUz8yS
August 27, 2015 10:34 am
How secure is the Hybrid Cloud? via @CIOonline | sws.ec/1WUtU6j #Appsec pic.twitter.com/aeuVOrGd9e
August 27, 2015 9:50 am
4 Security Metrics That Matter via @FYRashid @CarolineWMWong @CIOonline sws.ec/1Jmjk0P pic.twitter.com/wdyn3aJFOq
August 26, 2015 11:43 am
#APPSEC Opportunities: Our Recruiting team is coming to your campus! Stay current here sws.ec/1KkiPGo pic.twitter.com/6t0EcCzWhL
August 26, 2015 11:18 am