Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to dynamically change Cordova whitelist?

We have an application that has multiple whitelabel solutions for clients - meaning they are hosted under their own domain.

We have one Cordova app and we want that users can visit all these sites with this app, but I don't want to redeploy everytime we sign a new client.

  • is there a way to get to load the whitelist through a url or something? This would mean we can add domains on the fly through our database.
  • is there a huge security risk when you whitelist all urls?

https://cordova.apache.org/docs/en/latest/guide/appdev/whitelist/

Example

To clarify, I would love to have something like a URL that you can point to where it loads everytime on startup the whitelist settings.

http://myexampledomain.com/whitelist.config

  <allow-navigation href="*.myexampledomain.com/*" />
  <allow-navigation href="*.subdomain.someclientdomain.com/*" />
  <allow-navigation href="*.subdomain.someclientdomainb.com/" />
  <allow-navigation href="*.subdomain.someclientdomainc.com/" />

...this file would be automatic loaded on startup.

Creating a JS based plugin

If there's not current solution, is it possible to do this safe by creating a (JavaScript based) Cordova plugin? Like manually redirecting when the URL we try to load is outside a whitelist?

This means we would Cordova-whitelist everything and use our own plugin to block out everything outside our own whitelist.

(I am aware this is not safe when our database is compromised, but in that case we have bigger problems in general. Our app is for fun and does not rely on critical functionality)

like image 510
Dirk Boer Avatar asked Mar 17 '17 09:03

Dirk Boer


2 Answers

There is no mechanism for dynamically updating the whitelist of an app once built. This would largely defeat the security of offering a whitelist in the first place.

The security risk for whitelisting everything is extremely high, especially if you are loading sites you don't own. Loading those sites into your app's main frame gives them access to the same Cordova bridge to which your app has access -- which means those pages can use the same plugins installed in your app. (Note: Opening those links in the In App Browser or externally does not share the same risks, since that doesn't provide access to the Cordova bridge.)

Side note: the risk is also high even if you use sites you own: should a MITM attack be successfully executed OR your backend hacked malicious content could be served to the end user.

Without knowing more about how your service works, it's hard to offer much more assistance, but I would suggest building a separate app for each client. You can create scripts that automate (almost) everything so that releasing updates to your clients isn't onerous.

like image 171
Kerri Shotts Avatar answered Nov 05 '22 14:11

Kerri Shotts


Here are a couple more options from my experience here:

  1. Open the URLs with the InAppBrowser plugin and the '_system' target. This should open the URL in the native browser, with the URL in full view. This seems to be allowed without whitelist adjustments.

    window.open(url, '_system', 'location=yes,enableViewportScale=yes');
    
  2. If you need to stay in your app (and not open the native browser), you could do a hacky work-around where you load a page that you control and trust, and pass it a dynamic URL. On that page you could then have a iframe whose source is dynamically changed based on the passed in parameters. The app could pass in the desired URL via querystring, then just change the iframe from there.
    Obviously it'd be good to limit the URLs that you'll allow there to a list you control.

like image 33
BRass Avatar answered Nov 05 '22 14:11

BRass