Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Mobile App Avoiding or Securing CORS?

I am wondering if there is an industry standard for better securing ajax calls on mobile.

My mobile app consists of my website's html, js, & css files -- but installs them locally on the mobile device for performance. The mobile devices' local index.html then calls my web server for data (Tomcat in this case).

The only way I have found this to work is to enable CORS in my servlet:

response.setContentType("text/html");
response.addHeader("Access-Control-Allow-Origin", "*");
response.addHeader("Access-Control-Allow-Methods", "GET, PUT, POST, OPTIONS, DELETE");
response.addHeader("Access-Control-Allow-Headers", "Content-Type");
response.addHeader("Access-Control-Max-Age", "86400");

But quite honestly, I dont like that for a variety of reasons but mainly -- anything can now query my webserver from any domain and get a response...

How can I achieve the same ajax call to my webserver from a mobile device using CORS - but in a more secure manner so that only my app is allowed access?

** OR ** Is CORS incorrect altogether in this case of mobile and there is a more standard/desirable solution?

like image 854
Chris Avatar asked Jul 20 '15 18:07

Chris


People also ask

Does CORS apply to mobile apps?

Since a native app is not a web page loaded from any domain at all, CORS restrictions are not needed or applied, the app's HTTP functions never send an OPTIONS pre-flight, & the server serves the request without CORS ever entering into it. The same is true if you were to try these requests in Postman.

Is it secure to enable CORS?

CORS adds another layer of security to help ensure that only trusted domains can access your site's resources. As mentioned above, most CORS vulnerabilities relate to poor validation practices due to response header misconfigurations. These relax security too much and allow non-trusted origins to access resources.

How does CORS work with mobile apps?

This is when CORS (cross-origin resource sharing) comes into play. CORS is a server-side configuration that may allow browsers to download resources bypassing the same-origin policy, specifying who can access resources and how.

Should we disable CORS?

CORS misconfigurations can also give attackers access to internal sites behind the firewall using cross-communication types of attacks. Such attacks can succeed because developers disable CORS security for internal sites because they mistakenly believe these to be safe from external attacks.


1 Answers

CORS is a standard for instructing browsers on what to do when a page from another domain tries to access your domain.

The key term there is browsers. Anyone can construct a request (forging whatever headers they like, including Origin) that hits your server. What the Same Origin Policy and CORS rely on is a cooperative browser placing limits on what foreign scripts can do.

So the news is good. Since your code runs in a private web view in an app, you presumably don't face the risk of a foreign site running code in your view. (As opposed to browsers, where many domains run code in the same browser.)

So, as long as your code is running only on the app, CORS does not make your site any more or less vulnerable than it would be otherwise.

like image 183
Kevin Christopher Henry Avatar answered Sep 18 '22 12:09

Kevin Christopher Henry