On Sun Jan 25 2015 at 8:34:22 AM Ross Gerbasi <rgerb...@gmail.com> wrote:
> If I am missing something please let me know but from what I can tell the > exploit is triggered via some kind of harmful code being executed inside > the webview. This could come from a button click, or link to some site, or > maybe somehow someone spoofs a trusted source and actually delivers code > from a bad source. That's correct. The thing is that this is trivially easy to do with Android code. If someone installs a Cordova app from a third-party source, or even from an app store before the harmful app is taken down, they could be compromised. > Something like that. I would think most cordova > applications are self contained sites. So all the requests end up pulling > local html/js files from the device. Injecting some kind of bad code into > the application isn't really an option here without some other kind of > hackery. You'd think, but we've had this discussion before about NoFrak, third-party ad code, and third-party cookies. The more we keep saying that this is the case, and that people who create cordova apps would be stupid to trust third-party code, the more we have people do it. Now, I think there's a balance between the two viewpoints, and we have to find it. I think this is more of a concern with corporate applications that are side-loaded than apps from the Play Store. Given that alone we should at least try and address it by releasing 4.0.x. That still doesn't address all the things, but it at least gives some options.