On Jul 10, 2013, at 4:29 PM, Matt Basta <[email protected]> wrote: >> 1- anyone by checking the network traffic can see that I have this app >> installed. > > This is a problem for any app (offline or not) that uses HTTP instead of > HTTPS. > >> 2- doing MiM it is possible to inject code on the app and leak all the >> passwords I type in the app. > > This is also a problem that is not unique to offline apps. > > > Using SSL for your app should mitigate if not eliminate the problems that you > are facing. Only the final destination of the request can be discovered over > an encrypted connection (who the user is connected to). The risk of a MitM > attack is also greatly mitigated since SSL connections can do some checking > to make sure that you're connected to who you think you are (through some > clever crypto). >
In addition, you could use CSP to mitigate some kinds of XSS attacks http://www.w3.org/TR/CSP/ > If you're looking to remove the need for a server entirely, consider a > packaged app: > > https://developer.mozilla.org/en-US/docs/Web/Apps/Packaged_apps > > A packaged app doesn't need to connect to a remote server at all, meaning > that there's no communication to be intercepted or tracked. > > > Hope this helps! > > > > ----- Original Message ----- > From: [email protected] > To: [email protected] > Sent: Friday, May 31, 2013 8:32:36 AM > Subject: Create an offline packaged webapp > > I've been puzzled for a while trying to get an offline packaged app. > > I have packaged my app, and also used html5 cache and localstorage to store > all the user settings and (theorically) prevent the browser from checking the > internet for updates. > > But seems like nothing can't prevent a webapp to check on startup for changes > on the online site. It's not a funcional problem, the app currently works > fine offline and online, but it can be a security issue for the following > reasons: > > 1- anyone by checking the network traffic can see that I have this app > installed. > 2- doing MiM it is possible to inject code on the app and leak all the > passwords I type in the app. > > This is why I want the app to never look for changes upstream. > > I have discussed this on #b2g and i've been redirected to this forum. I know > that default system apps (camera, gallery,. ..) are packaged apps and they > work well (not checking network on startup). How can I make my packaged app > work in that way? > > Here's the app for testing this issue: > > http://hass.ffos.lolcathost.org/ > _______________________________________________ > dev-webapps mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-webapps > _______________________________________________ > dev-webapps mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-webapps _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
