Though it would be great if Google would/could patch all the WebViews on the older phones, and people can argue all day about how poopy it is and whatnot. I am curious how much the actual exploit harms a majority of cordova apps.
If I am missing something please let me know but from what I can tell the exploit is triggered via some kind of harmful code being executed inside the webview. This could come from a button click, or link to some site, or maybe somehow someone spoofs a trusted source and actually delivers code from a bad source. Something like that. I would think most cordova applications are self contained sites. So all the requests end up pulling local html/js files from the device. Injecting some kind of bad code into the application isn't really an option here without some other kind of hackery. So is it fair to say if your application is not linking html/javascript related material there isn't much of a concern here? If you are linking externally or maybe using the in app browser, it is potentially bad but only if the site your linking to was compromised somehow. Which then makes me wonder how the heck did the site get compromised... Anyways I may be totally off here so if anyone is more educated in this area please correct me. thanks -ross On Sat, Jan 24, 2015 at 2:33 PM, Joe Bowser <bows...@gmail.com> wrote: > More about WebKit and Jellybean not being updated. This is the same line > we've been saying, but a lot of users have been completely disregarding. > So, I don't know where we should go from here: > > https://plus.google.com/117193854832907724231/posts/1md7ruEwBLF > > On Fri, Jan 23, 2015, 11:34 AM Joe Bowser <bows...@gmail.com> wrote: > > > Marcel posted it a few days ago. I haven't seen anything come out of it > > yet, but this is a big deal. > > > > > > > https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior > > > > On Fri Jan 23 2015 at 11:32:48 AM Andrew Grieve <agri...@chromium.org> > > wrote: > > > >> Not sure what the JB fiasco is, but merging SGTM. We can always work off > >> of > >> 3.7.x if we end up needing another 3.x release. > >> > >> On Fri, Jan 23, 2015 at 1:51 PM, Joe Bowser <bows...@gmail.com> wrote: > >> > >> > Hey > >> > > >> > So, now that 3.7.0 is mostly out the door (dealing with npm stuff > now), > >> I > >> > think we should talk about getting 4.0.x merged into master and out > the > >> > door. > >> > > >> > I know there's that CookeManager thing that breaks the File Transfer > >> plugin > >> > that we have to deal with, and I'm wondering if we can actually get > some > >> > tests for that before we do the merge. I really want 4.0.x to be in > >> > mainline and be our priority so that we can get it out by the end of > >> > January. > >> > > >> > Also, once we get 4.0.x, we need to talk about WebViews and how we > deal > >> > with the whole Jellybean fiasco, but I think we need to take one step > >> at a > >> > time and get 4.0.x out. > >> > > >> > Thoughts? > >> > > >> > Joe > >> > > >> > > >
