> 1- anyone by checking the network traffic can see that I have this app > installed.
This is a problem for any app (offline or not) that uses HTTP instead of HTTPS. > 2- doing MiM it is possible to inject code on the app and leak all the > passwords I type in the app. This is also a problem that is not unique to offline apps. Using SSL for your app should mitigate if not eliminate the problems that you are facing. Only the final destination of the request can be discovered over an encrypted connection (who the user is connected to). The risk of a MitM attack is also greatly mitigated since SSL connections can do some checking to make sure that you're connected to who you think you are (through some clever crypto). If you're looking to remove the need for a server entirely, consider a packaged app: https://developer.mozilla.org/en-US/docs/Web/Apps/Packaged_apps A packaged app doesn't need to connect to a remote server at all, meaning that there's no communication to be intercepted or tracked. Hope this helps! ----- Original Message ----- From: [email protected] To: [email protected] Sent: Friday, May 31, 2013 8:32:36 AM Subject: Create an offline packaged webapp I've been puzzled for a while trying to get an offline packaged app. I have packaged my app, and also used html5 cache and localstorage to store all the user settings and (theorically) prevent the browser from checking the internet for updates. But seems like nothing can't prevent a webapp to check on startup for changes on the online site. It's not a funcional problem, the app currently works fine offline and online, but it can be a security issue for the following reasons: 1- anyone by checking the network traffic can see that I have this app installed. 2- doing MiM it is possible to inject code on the app and leak all the passwords I type in the app. This is why I want the app to never look for changes upstream. I have discussed this on #b2g and i've been redirected to this forum. I know that default system apps (camera, gallery,. ..) are packaged apps and they work well (not checking network on startup). How can I make my packaged app work in that way? Here's the app for testing this issue: http://hass.ffos.lolcathost.org/ _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
