Security Guide Apache Cordova

      No Comments on Security Guide Apache Cordova

If content material is served in an iframe from a whitelisted domain, that domain could have access to the native Cordova bridge. This means that if you whitelist 0,33 party advertising community and serve those ads via an iframe, it is feasible that a malicious ad may be capable of break out of the iframe and carry out malicious actions. Because of this, you’ll want to commonly not use iframes unless you manage the server that hosts the iframe content material. Also note that there are third party plugins available to assist advertising networks.

Note that this observation is not true for iOS, which intercepts everything adding iframe connections. The reason is that accepting self signed certificates bypasses the certificate chain validation, which permits any server certificates to be regarded valid by the device. This opens up the verbal exchange to man in the center attacks. It becomes very easy for a hacker to not just intercept and read all communique between the device and the server, but in addition to modify the communique. The device will never know this is happening as it does not verify that the server’s certificates is signed by a relied on CA.

The device has no proof that the server is who it expects. Because of the benefit of doing a man in the center attack, accepting self signed certificates is simply marginally better than simply running http as an alternative of https on an untrusted community. Yes, the site visitors could be encrypted, but it could be encrypted with the key from a man in the middle, so the man in the middle can access every thing, so encryption is dead except to passive observers. Users trust SSL to be secure, and this will likely be deliberately making it insecure, so the SSL use becomes misleading. If this will be used on a trusted community i.

e. , you’re totally inside a managed enterprise, then self signed certs are still not advised. The two suggestions in a depended on community are to simply use http because the network itself is depended on, or to get a certificate signed by a relied on CA not self signed. Either the community is depended on or it isn’t.

See also  Using Wikipedia for Marketing