Securing PhoneGap Apps

The Worst PhoneGap Security Issues And How To Avoid Them

Oct 23, 2015 By Sarah Vonnegut

 

Mobile devices have exploded in our modern world. And with the explosion have come implications. Business can be conducted anywhere now, and high-value documents and data can easily be read and shared on the go. While this may be great for productivity levels and greater flexibility, security risks only seem to increase as more cell phones and tablets hit the marketplace.

 

The customers who use our mobile apps aren’t necessarily thinking about security as they use their phones to do any number of things – and it’s on us if our applications are hit by hackers. Each mobile operating system (OS) comes with its own security risks, and developing secure applications for different platforms, written (and secured) in the appropriate language for the platform, can get tricky.

 

In response to the various complications brought about by developing the same application for (very) different mobile platforms, there’s been a move towards converging to a single platform. One of these solutions is PhoneGap. And while it solves a few big problems, it also comes with security issues of its own. Let’s take a look.

 

What is PhoneGap and Why Would I Use It?

 

PhoneGap, for the uninitiated, is a framework for developing mobile apps for Android, iOS, Blackberry, Windows Phone, Ubuntu and Firefox OS. Developers create PhoneGap apps using standard tech: HTML for organization and structure, CSS for design, and JavaScript for logic and anything else.

 

The beauty of the Phonegap framework and underlying Cordova software is that it allows developers to write code for only one app, then have it compiled for use on all the above platforms once it’s written. It also allows developers who don’t know the intricacies of Java, Objective C, or other mobile programming languages, to still be able to create apps for use on mobile platforms. [Check out a list of PhoneGap apps here.]

 

In short, developing apps for multiple operating systems using a single framework offers developers a much more simplistic way of writing apps. It can also be much cheaper if you’re planning on developing your apps for more than one mobile OS. And the technology is catching on, with thousands of apps built and over 400,000 developers using the PhoneGap platform.

 

How Does PhoneGap Work?

 

PhoneGap uses web technology to help bridge the gap between mobile and web.

 

Applications built for PhoneGap are hybrid apps, and are neither fully native or truly web-based, living somewhere in between. Because mobile OS’s don’t natively support HTML5 and JavaScript, PhoneGap apps use WebView, a web container that allows mobile devices to execute JavaScript and HTML5. WebView (called various terms for differing platforms) helps bridge the gap between web and mobile, and various plugins help make an application more robust and native-feeling.

 

Communicating with each OS, PhoneGap uses different APIs (built by PhoneGap) and plugins (both native and custom), which act as the bridge between each platform’s native language and the PhoneGap script. Out of the box, PhoneGap comes with APIs for Camera, Contacts, Compass, Media, FileSystem and more. Plugins extend those functionalities not accessible with the available APIs.

 

For a deeper look at PhoneGap, check out this great post on the PhoneGap blog that explains the platform visually.

 

  1. Cross-Site Scripting

 

When developing on PhoneGap, it’s important to keep XSS in mind while dealing with output. Because PhoneGap apps execute JavaScript on the user’s OS, your app can essentially access plugins which can then be used to call the OS’s native capabilities – which of course can get into dangerous territory if not handled properly.

 

What make XSS exponentially more dangerous in mobile apps is that an attack using an XSS vulnerability can steal your users contacts, the content of users text messages, the notes stored on users’ phones, and more. To see a good example of what kind of damage a cross-site scripting vulnerability, check out Nerdy Beardo’s POC, where he was able to steal all (his own) phone contacts as well as take a picture and send both to a third-party – easily.

 

How to Fix:

 

  • Use whitelisting to only allow certain domains to be accessed by the user.

 

  • Use an encoder library, such as Microsoft’s AntiXSS.

 

  • Sanitize data to make sure that HTML tags aren’t rendered in a way that could allow for an XSS attack.

 

  1. Lack of Source Code Protection

 

One of the most common worries about PhoneGap insecurity is the fact that much of your data is stored locally on the user’s device by default. Anyone with access to your app also has access to your source code. If your code isn’t secure, you’re setting yourself up for any number of malicious attacks left open through vulnerabilities in your code. Anything from reverse engineering and app spoofing to theft of data can happen if you’re not careful in protecting your high-value data.

 

How to Fix:

 

  • Put any and all sensitive data into the native code, which will be compiled, adding a plug-in that will enable the app to access the date.

 

  • Use static code analysis to find any potential vulnerabilities and fix them before releasing. We can help with that.

 

  • Follow the guidelines released on the GitHub repository for PhoneGap security when it comes to encrypting data.

 

  1. JavaScript Security Issues

 

A client side language has it’s pros, but it also comes with various security implications – especially when it’s being executed where it’s not ‘natural’ to do so. Client-side apps, including the ones written for PhoneGap, normally allow anyone to see, modify and send the code under the surface. That makes paying attention to escaping each input and treating all input as evil especially important when developing PhoneGap applications.

 

A study performed by Syracuse University researchers found that out of 764 free Android apps built on the PhoneGap platform, eleven were vulnerable to code injection, and they successfully attacked two of them. While that’s not a significant percentage of vulnerable apps, it’s something to pay close attention to as use of the PhoneGap platform expands.

 

How to Fix:

 

  • Design your app to load JavaScript remotely using a secure API which authenticates the user when the app is first opened.

 

  • Download the JavaScript logic your app needs to run once the user has been authenticated and delete is once the app has closed or after a period of time.

 

Have a look at the AppSec How-To: JavaScript Security Implications for more on JavaScript vulnerabilities.

 

  1. Excessive permission granting

 

In Android applications especially, developers need to be aware of the permissions they’re asking users to grant them.


With PhoneGap’s standard plugins, 16 permissions are requested by default. Each of these permissions adds an additional origin of attack. Should a user be hit by an XSS attack using your app, you can at least minimize the risk of total device takeover by limiting the permissions only essential to your app’s functionality.

 

How to Fix:

 

  • Turn off any permissions not required by your application.

 

  • Secure any potential holes made possible by permissions you need for your app.

 

So – Is PhoneGap Less Secure Than Other Platforms?

 

In short, the answer is no. Out-of-the-box, PhoneGap may come with security issues that need to be addressed, mostly because of how new the platform is, but they’re quickly working out the kinks.

 

The cause of most vulnerabilities comes down to a lack of knowledge regarding what secure code looks like, as well as what issues to watch out for. With a bit of work and some hacks of your own, it is possible to release secure PhoneGap applications. What it really boils down to is in making the conscious decision to submitting your code to whatever testing and changes that are necessary.

 

 

Discussion: What struggles have you had securing your PhoneGap applications? 

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.