Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security considerations when creating a mobile app using PhoneGap

I'm a beginner in creating mobile apps with phonegap. I have some doubts on security aspects, when creating a mobile app with phonegap.

  1. I want to create an app that accesses a Web service, e.g. a REST service created using Jersey. Now, am I correct in thinking that a hacker can easily see the security keys/authentication mechanism used, to authenticate the client (on a mobile app) with the server (where REST API is to be used)?

  2. In general, can a hacker easily access all data being sent by the mobile app (which was created using phonegap)?

  3. Can a hacker disassemble a phonegap app to obtain original code? Wont he get the native code (e.g. Objective C in case of ios)? Or can he decompile even that into original phonegap code (ie html+js)? How do I prevent my code from being decompiled? Is this scenario the same as for most other languages i.e. hackers with powerful PCs can hack into just about any program/software? Is there some way to prevent this from happening?

like image 275
Arvind Avatar asked May 05 '12 21:05

Arvind


People also ask

What are PhoneGap limitations?

Plugins could be outdated. The next limitation is that the plugins of the PhoneGap can be outdated after using it. It can affect application functionality. We don't have plugins for certain features like geolocation, camera, etc.

What do you need in OS to develop the PhoneGap app?

Prerequisites. It is mandatory that you have knowledge of HTML, CSS and JScript to create website that you might want to put on App. No other programming language is required to use PhoneGap.

What are the tools required to develop the PhoneGap application for android?

ADT (Android Development tools) is a plugin of eclipse which provide a complete IDE for developing Android application. ADT lets you create new Android projects, and it lets you create Android projects from existing source (this is the way we will open our PhoneGap app for android on eclipse).

What is PhoneGap in mobile technology?

PhoneGap is an Open Source framework that helps build hybrid applications which work on most mobile platforms such as Android, iOS, Blackberry, Windows Phone among others. Framework provides a container that bridges the native APIs to the web view.


1 Answers

Allright, first take a deep breath. You are probably not going to like some of my answers but you'll be living with the same issues that we all are.

  1. The best thing to do in this case is to use something like the KeyChain plugin to retrieve your security keys from the native side.

  2. You can take PhoneGap out of the question because it applies to any situation where you send unencrypted data between a client and server. Anyone can easily listen in using a number of tools including Wireshark or Ethereal. If you need to communicate with a sever it should be done on an encrypted, HTTPS or SSL, connection.

  3. First I think you are under the mistaken impression that PhoneGap compiles your HTML/JS code into Obj-C. It does not. If the user uncompresses your app they will be able to read your HTML/JS. Also, they'll be able to decompile your Obj-C code as well. This does not take a powerful PC or even an experienced hacker. Pretty much anyone can do it.

My advice to you is not to worry about it. Put your time into creating a truly great app. The people who will pay for it will pay for it. The folks who decompile it would never buy the app no matter what. The more time you take trying to combat the hackers takes away from the time you could use to make your app greater. Also, most anti-hacking measures just make life harder for your actual users so in fact they are counter productive.

like image 188
Simon MacDonald Avatar answered Oct 16 '22 07:10

Simon MacDonald