“Gartner Listed - mobile application security guide 2017”

June 15, 2017

Mobile app security testing checklist – PhoneGap

The cross-platform nature of PhoneGap development can make the platform very tempting, especially for developers with existing web skills. The use of plain-text source files and a reliance on externally-developed plugins for core functionality can, however, leave your project exposed to multiple security issues. When doing mobile app security testing of Phonegap apps it is important to consider the points raised here, in addition to those in our iOSand Android mobile app security testing checklists.

1. Insecure Source Files

Phonegap apps are built on the web foundations of HTML, CSS and JavaScript. Just like the web these files can be obfuscated but never encrypted, so it’s important to ensure that no sensitive information like access keys are included inside. These source files are stored unencrypted in your application package folder and are relatively easy for an attacker to examine.

If you need to use 3rd party services that are authenticated with access keys you should supply them through your own back end system rather than directly from the app. This way the access keys are never exposed through the source code and you can use your own mechanisms for authenticating users. We took a look at the problems of Android apps exposing backends a few months back.

2. Client-Side Business Logic

Whether you’re developing native or hybrid mobile apps you should try to keep as much of your business logic as possible in server-side code. Modern serverless architectures like Firebase can help developers a lot by synchronising user data between the client and cloud, but unfortunately this architecture can encourage developers to manipulate shared application data directly without sufficient access control.

To give an example, your application might have social features and friend relationships. It would be tempting to allow your client logic the access it needs to manipulate your ‘user’ objects to add friend IDs and create relationships. Unfortunately this exposes all of your user data to manipulation by an attacker..

Instead you should restrict access to your data using the data access restrictions provided by the platform. You can then create server-side methods to create the relationships and maintain the integrity of your data. For Firebase you can make use of Cloud Functions to provide server-side functionality quite easily. Other platforms provide similar features such as AWS Lambda or Azure Functions.

3. Remotely Loading Javascript

Given that a Phonegap  application is loaded dynamically it’s tempting to make use of over-the-air deployment services such as Ionic Deploy or CodePush. You may even try to develop your own simple solution for certain sections of your app logic.

Over-the-air deployment allows you to update your application logic without re-submitting your application to Google or Apple for review. As a result the time needed to get app updates out to users is reduced, which may allow you to deal with bugs more quickly or change your functionality based on user feedback. Though this may at first appear to be against Apple’s Terms it is in fact allowed provided the app doesn’t change its core functionality.

The deployment services above will authenticate your app before downloading code but as with any other JavaScript in your app, this can be modified relatively easily depending upon the level of obfuscation you apply. Live deployment services will inevitably expand the attack surface of your app, so you should seriously consider avoiding them if your app is particularly sensitive.

4. Insecure Local Data Storage

Most Phonegap developers will initially gravitate towards LocalStorage for the storage needs of simple apps. Unfortunately LocalStorage is secured only by the platform’s sandboxing features, which would prove useless if the device were jailbroken or the attacker gained physical access to the device.

Developers requiring a simple key/value store like LocalStorage for more sensitive data should explore some of the Phonegap  plugins that are available. These plugins will make use of native secure storage mechanisms such as the iOS Keychain, while exposing them as a straightforward API. Notable plugins are SecureStorage from Crypho as well as the App Security API from Intel.
If you’re looking for more structured data storage Phonegap provides access to SQlite through the WebSQL API. This API provides a wrapper around the SQLite functionality provided on the platform, and as such the same considerations apply as for native apps. Thankfully, as with the native platforms it’s possible to use SQLCipher to encrypt the database contents. There are quite a few Phonegap plugins available to this end, though the sqlcipher-adapter plugin appears to be the most maintained and documented.

5. Insecure Dependencies

One of the best features of Phonegap is the wide range of Phonegap plugins available that help leverage platform features and provide engaging functionality. Unfortunately many of these plugins are seldom maintained, and in turn rely on many other NPM packages to provide functionality. This can make it near-impossible to track exactly what code runs inside your app and leaves you open to poor code quality or even malicious functionality.

A thorough code review is the only way to ensure that your dependency code is secure. However, in some cases you’ll find that that the native portion of the Phonegap plugin is actually supplied as a binary and thus impossible to review. Common sense regarding the source of the plugin, the maintainers, the regularity of updates and the plugin’s popularity are probably the best indicators for quality given the time constraints of most developers. For more sensitive areas like secure storage a more thorough review is recommended. Overall you should try to reduce the number of dependencies for your app, which will reduce your exposure to possible exploits.

6. External Content

If you’re loading external content into your app using the standard window.open() function you’re actually exposing all of the Phonegap APIs to the external website, creating a security risk for your app and its data. To avoid this issue you can use the InAppBrowser plugin provided by Apache. The InAppBrowser functionality is designed to be a drop-in replacement for window.open() that opens the content in an external browser that has no access to the Phonegap APIs or your app.

7. Whitelisting

The Phonegap Whitelist plugin is one of the most important security plugins available for the platform, and one that you should definitely use for your app. By using a carefully-constructed whitelist you can restrict the types and locations of data that can be requested over HTTP. The plugin also allows the definition of CSPs (Content Security Policies), controlling which network requests (images, XHRs, etc) are allowed to be made by your WebView.

Effective whitelisting is a great way to guard against XSS (Cross Site Scripting) attacks. XSS attacks are especially dangerous in a Phonegap application as they allow for the execution of arbitrary JavaScript in the context of the app. This gives the attacker access to all of your internal code including the Phonegap APIs and any plugins you have installed.

8. HTTP Caching

Many developers are unaware of the impact of HTTP caching on their app’s security. By default your Phonegap app will inherit the default HTTP caching profile for the host OS’s web view. This default behaviour will try to increase your app’s performance by caching as much data as possible. Unfortunately this means that any sensitive requests for user data or credentials will be cached unencrypted on the device filesystem.

Ideally we would want to change the caching behaviour selectively from within the app but unfortunately this isn’t possible. The best way to reduce caching on a per-request basis is to modify the cache-control flags on your back-end server to indicate that no caching should take place. This doesn’t guarantee that responses will not be stored in the cache however.

For sensitive data we recommend that you disable caching completely. This can be achieved by using the disable-http-cache plugin, though you should verify independently that this works by examining the device filesystem. If you require more fine-grained control of the disk and memory caching the plugin looks relatively straightforward to modify.

If you’d like more platform-specific detail regarding HTTP caching please check out our OWASP M2 Insecure Data Storage article.

9. Certificate Pinning

There is no proper certificate pinning on Phonegap, in part due to the absence of native APIs to intercept SSL connections to check a server’s certificate. There are a number of workarounds available, such as checking that the server’s public key matches when the app is initialized and throughout its operation.

There also a number of third-party plugins for Phonegap that do the same operation and others that will do true certificate pinning as long as your app does all the network requests using the plugin.

Codified Security is here to help make your mobile app secure whether it’s built with iOS & Android apps built in Objective-C, Swift, Java, Xamarin, or Phonegap. For mobile app security testing try out Codified Security.