JavaScript Security Risks In Hybrid Mobile App - javascript

Let's assume HTML5 web page with (in)appropriate server-side background so that http://www.my-site.com/execute?query="SELECT * FROM Table" gets executed via AJAX and returns results. Not very smart, indeed.
But how about when in context of hybrid mobile app, i.e. HTML5 app inside iOS/Android/WindowsPhone wrapper/skeleton delivered as an application through appropriate store?
Q: Do we consider JavaScript safe when in context of hybrid mobile app?

I would say no.
If somebody looks at your network communication, or maybe if you accidently forget some debug logging, it's probably fairly easy to find out the url.
And the query probably would also work when called in a browser (being mobile or desktop).
Of course you can ask yourself: how popular is your mobile app and would anybody even try to hack it. But I wouldn't bet on that.
Edit: we usually use something like a (REST) API, and the answer from the server is JSON which is then parsed by the client. Don't let anybody be able to type in SQL queries!
A: In terms of "security" on iOS: you can browse the device with e.g. iExplorer. On Android, there are also ways (rooted device or adb). Given the phonegap structure, your javascript would then be located in the "assets_www" folder or similar. So if somebody wants to, he/she can look at the javascript source just like on the web.

It will cause a serious misery.
Once someone finds your AJAX url, they will be able to delete or insert anything into your database.
Reverse engineering of applications is very common, so one will be able to find your AJAX URL very easily once they just decompiled your app. Hybrid mobile apps can be very vulnerable if you think of them like native apps.
Additionally, using proguard will not help securing your html/js source codes, so you'd better just think of them as websites' front-end where all the sources are open, and keep the same level of security.

Related

protect contents of cordova android app

I'm developing a Cordova app for Android (so it's all HTML/CSS/Javascript code).
This app is going to feature contents that I don't want them to be freely distributed on the internet, mostly audios, videos and some XML files.
Although those contents will be loaded from a server and other content providers, a user could unzip the APK and look into the www folder, analyze the source code (mostly jQuery and jQuery Mobile stuff) and find the direct paths to all those contents. Then, easily download them. Those paths might be inside the javascript code or inside XML files.
Is there any way to prevent this? I know of JS obfuscators, but I believe that they're pretty easy to reverse.
I think you've pretty much answered your own question. Obfuscation is the only way to "protect" the Javascript code, and there really is no way to protect the content. You try encryption, but the Javascript code to un-encrypt it will be exposed, so that solution practically useless.
Perhaps one option is to encrypt content on the server with a key provided by the user, then download it on the app's first run. This has obvious drawbacks as well: Some kind of separate user registration or account is required, entering a password every time the app starts is inconvenient, dealing with lost passwords, et cetera.
There are lots of obfuscation libraries for Javascript, just Google for them.
"Resources are world-readable by design.
Even if you were to not package the ""images or soundFX files"" as resources but were to download them on first run,
users with root access could still get to the files.
Since this is not significantly different than any other popular operating system humanity has developed,
it is unclear why you think this is an Android problem.
Sufficiently interested users can get at your ""images or soundFX files"" on iOS, Windows, OS X, Linux, and so on."

access iPhone GPS from javascript webview

I have a basic query while developing hybrid iPhone application
1) How can we access iPhone native functionalities like GPS from web UI javascript WITHOUT help of third party frameworks like quickconnect iPhone or PhoneGap
2) What is the flow , architecture for the same? i.e. how javascript communicates with the native code.
3) All comments, URL, information for the same are most welcome!
4) Can I upload my app on appstore using quickconnect?
5) I think using phonegap, we cannot upload on appstore, we have to upload on phonegap only. plz comment
Thanks
1) How can we access iPhone native functionalities like GPS from web UI javascript WITHOUT help of third party frameworks like quickconnect iPhone or PhoneGap
Check out the HTML GeoLocation API. Apple also exposes other cool stuff like accelerometer data via JavaScript APIs. So you don't always even need native code.
2) What is the flow, architecture for the same? i.e. how javascript communicates with the native code.
Actually, for some information, like location data, you do not need native code (see above). However, in general, if you want to communicate with native code from a WebView in an iPhone application, you would usually register a URL handler in the WebView's delegate, then do some fancy tricks with window.location to trigger the handler when needed. To send data back to the WebView, you just need to use the self-explanatory [webView stringByEvaluatingJavaScriptFromString:(String)] method.
For communication like this, I usually end up writing my own little library that allows me to call certain native handler methods from JavaScript and also register to receive messages from the native code. You'll probably end up doing the same. It's simple, intuitive, and fun. I recommend the experience.
3) All comments, URL, information for the same are most welcome!
See the links above.
4) Can I upload my app on appstore using quickconnect?
I've never used quickconnect so I can't answer that one.
5) I think using phonegap, we cannot upload on appstore, we have to upload on phonegap only. plz comment
I've never heard of people having trouble with posting a PhoneGap based application to the AppStore. Though I must admit I've never attempted it myself. I imagine that I would have heard if Apple had stopped accepting PhoneGap based applications. But Apple is pretty moody. So who knows?
(I'd check on my sources on that one if I were you, though)

Converting Grails web application to offline web application

I've been doing some research on the HTML5 local storage/offline capabilities and I'm beginning to get a better understanding of it. I've been designing a billing application with Grails and I'm just wondering if it is possible to set up a Grails application to be an offline web application, like you can with HTML5 (by utilizing a Manifest file). If so, would it be set up in the same way that you'd set it up with HTML5, or would there be any key differences to make a note of? Also, what is the best way to implement the local storage functionality of HTML5 in Grails? Is there any plugin or framwork available for this purpose . Has anyone ever used this plugin/framework before, and if so, do you know if there are any guides or examples that use it anywhere that would be really able help me get started with it?
I'd appreciate the information on making a Grails app work "offline
Thanks in advance!
I am developing an offline HTML5 app, myself. The biggest difference is that it is a single page rather than many small ones (but it might work that way if you tried it; you would need to be sure it got all the data it needs at startup).
Don't forget to add the application cache mime type to your configuration.
I never thought to look for a plugin for local storage. In my project, the local tables (I'm using WebSQL because it's in Webkit browsers) are different from the domain classes because they have a different function; that is, they have to hold the data for the domain tables untilthe device can sync with the host.
I hope there is something useful here.
Ed

Are client-only web applications possible?

I want to create an internally used web app that can be run with just a copy of the web app and the DB (anything from a text file to MS Access/Excel would work fine). Is this possible? I don't want users to have to setup a SQL server to get the app to work. Having the files necessary to run the web app stored on a shared network drive would be ideal, for example. The problem is that JS can't write to a DB. Is there anything that can use to do this?
Like mentioned, I can assume that Access/Excel are installed, if there's anything that might help there.
It's most certainly possible. W3 has put up the specs for a client side database that can be accessed by JavaScript. The modern browsers have good support for it, and since this is for an internal application, you would have some level of control I believe.
Checkout this slide that shows a live demo of Indexed Database. The full spec can be found here. See this link for browsers that currently support IndexedDB. Here's another set of slides showcasing how to use IndexedDB.
However, with this approach, each user's browser has its own DB locally. If you want a centralized DB, then you will need a server.
You can perform database transactions with JavaScript. This is generally discouraged, because it has terrible security implications. However, in a completely local environment, you are probably not causing any additional security risks. (Because, your database is already on the user's machine.) You can see an example of how to use ADO in JavaScript at How to connect to SQL Server database from JavaScript in the browser? .
Possible, yes, Like Making cars that can float in the sea but could not work on dry roads.
Use winforms or something similar. Use the right tool.
If you insists, Firefox plugins can behave in the way you mentioned, and there is a way to bundle a web application with it's server (check the beginner tutorials for RoR to have an example for something similar with webrick).
If I understand your requirements, you might look into ColdFusion.
For example, you can run a DB query pretty simply, check here, in Adobe

Communication between RS422 serial device and Javascript

I've written a simple web page that uses Javascript to control a Quicktime plugin for movie playback. There's also some AJAX stuff using jquery to get info on the movies from an MSSQL database. The web page is served to the user from an Apache 2.0 server, this also hosts MSSQL. The end users will view the page in IE6 (unfortunately).
My problem is that the end users now want to use an RS422 jog/shuttle deck control to drive the movie timeline, in place of another jog/shuttle unit that relied on emulating keypresses which was easy for me to detect.
As I'm not a programmer I'm at a loss what to start looking at for a solution to receive the RS422 data and then send that to the Javascript to control the timeline. Is this something that a custom activeX bit of code could do? I've googled ActiveX with Javascript but it's unclear to me (as a novice) how the two work together, or whether this would be suitable at all.
If anyone could give me an overview of what to start researching that'd be much appreciated.
Many thanks.
Jon
JavaScript runs in a sandbox and has no access to the computer at all (for security reasons; you really don't want to make it any more simple for frauds to get at your credit card data).
ActiveX would work but it's a security risk, too. ActiveX is written in C++, no JavaScript there. You'll find information about that on the M$ Website. Note that ActiveX is usually disabled today because of said security risks. Depending how serious your client take security, the virus scanner might not allow to start an A/X control.
Another option would be to write small program which is installed on the client's computer that reads the serial port and send that to the web server where your JavaScript can query it. Okay, that's more than a bit convoluted but probably the least risky.
Or you write a program which transforms the serial codes into key presses (just create the event and post it to Windows). Again, you need C++ or maybe Python with the win32 package.
Your client must understand that this is something which sounds incredibly simple but you'll have to jump through a lot of hoops to make it work. A web browser is not a local application with full reign of the hardware (and it must never be).

Categories