This is a draft response to the Bugtraq Public Disclosure done by Martin Georgiev, Suman Jana and Vitaly Shmatikov at the University of Texas in Austin.

A month ago, we received a security disclosure regarding alleged Security Issues with Apache Cordova on Android, namely the issues with the Whitelist not working for various documents referenced by HTML pages. That being said, this is a known vulnerability that we explicitly documented in the PhoneGap and Cordova documentation since Cordova 3.2.0.

http://cordova.apache.org/docs/en/3.3.0/guide_appdev_whitelist_index.md.html#Whitelist%20Guide

Given the fact that Gingerbread is API 10, and the fact that Google and device manufacturers are no longer actively maintaining this version of Android, we feel that this is an appropriate response. If you need your application to be secure from attacks on Gingerbread, we recommend setting your minimum SDK level higher than 10, since Gingerbread is not a safe or secure platform.

In addition to this, when developing an application, everything that is loaded into the WebView on Cordova has trusted access to the Cordova API. This includes third-party ad networks. We recommend not using any web advertisers in this manner in your application, since this is not trustworthy and to use third-party plugins to handle advertiser content, since web advertisements are not meant for mobile applications and not only are they a security issue, they offer a very poor user experience.

In addition to this, other claims were brought that were not security related. This includes

PhoneGap’s domain whitelisting on Android (API 11 or higher) and iOS does not adhere to the same-origin policy. Third-party scripts included using <script> tags are blocked unless their source domain is whitelisted, even though these scripts execute in the origin of the hosting page, not their source origin.

This is by design. All content is blocked if it does not come from a whitelisted domain to prevent non-trusted domains to get access to the Cordova API. This includes advertising networks. This further makes the point that web-based advertising networks should not be used with Cordova. Again, The purpose of Cordova is to provide web developers the ability to make hybrid apps in a native context on the web. The use case is to NOT display web pages, and not display web advertiser content.

We welcome security submissions. We request that when presenting a solution that the git history of the project remain intact. However, if the contribution is substantial, (new classes added, bigger than a minor 10 line fix), we require substantial contributions to be donated to the ASF, more information can be found at http://www.apache.org/licenses/

BugtraqResonseDraft (last edited 2014-01-29 21:53:20 by JoeBowser)