Since the InAppBrowser is designed to load untrusted code, it seemed like an interesting component to review. I’ll focus on the iOS implementation, because the vulnerability I identified was specific to the iOS implementation. The CDVInAppBrowser class acts as a UIWebViewDelegate and overrides the webView:shouldStartLoadWithRequest:navigationType: method in order to intercept page loads within the plug-in’s WebView. Overriding this method is commonly performed within iOS applications since developers often want to define a custom URI schemes within a WebView. By reviewing the following Objective-C code from the InAppBrowser plug-in, it is clear that the plug-in defines a gap-iab URI scheme in order to pass back information to the trusted Cordova WebView via a callback function.
For example, the following URL loaded into the InAppBrowser’s WebView would trigger the functionality.
So far we know the following.
Given that it is common to encounter Cordova/PhoneGap applications that use older versions of the framework, and plug-ins, these vulnerabilities might stick around for awhile, but the important point to make here is that the specific plug-ins used within a Cordova application can have a large impact on security. Besides the core plug-ins, developers often graft together mobile applications using third-party plug-ins, which may introduce additional security vulnerabilities. Luckily most of the plug-ins are open source and available on GitHub, so we can easily review them for security issues during assessments.
Cigital is one of the world’s largest application security firms. We go beyond traditional testing services to help our clients find, fix and prevent vulnerabilities in the applications that power their business.
Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications.
Building Security into the SDLC Without Impacting Velocity
Adding Security Steps to Your “agile” Development Process
Benefits of Code Scanning for Code Review
Developers Targeted in Apple’s iOS Malware Attack
Get a free 30-day trial of SecureAssist & build more secure code from the start. Click here sws.ec/1KRKVVg pic.twitter.com/D5gTJjoF9K
Yesterday at 11:15 am
6 days til #InfoSeCon! Our Aravind Venkataraman will be speaking on Present and Future of Static Analysis Programs sws.ec/1WvsvSk
October 2, 2015 2:11 pm
Adding Security Steps to Your “agile” Development Process | sws.ec/1j16xsp
October 2, 2015 1:19 pm
Find out how to Minimize Time and Resources spent on Application Security Testing in this Whitepaper | sws.ec/1P5QoxS
October 2, 2015 12:21 pm
SecureAssist, a security spell-checker for developers. Try it free for 30 days. sws.ec/1jyvDPe
October 2, 2015 11:14 am