> That's correct. The thing is that this is trivially easy to do with > Android code. If someone installs a Cordova app from a third-party source, > or even from an app store before the harmful app is taken down, they could > be compromised.
This is a problem for sure, but also fair to say this could happen if a user installed a non-cordova app, that used a webview, from a third-party source or the play store. I think I understand your point here though that we are focusing on the outlook people have towards a cordova app being insecure. > You'd think, but we've had this discussion before about NoFrak, third-party > ad code, and third-party cookies. The more we keep saying that this is the > case, and that people who create cordova apps would be stupid to trust > third-party code, the more we have people do it. Now, I think there's a > balance between the two viewpoints, and we have to fi Well as nobel of a cause as this is if people wanna whitelist the world and include code they haven't properly vetted there isn't much we can do about that... > I think this is more of a concern with corporate applications that are > side-loaded than apps from the Play Store. Given that alone we should at > least try and address it by releasing 4.0.x. That still doesn't address > all the things, but it at least gives some options. Apologies if I am missing something else but just to be sure. 4.0.x will address this problem by allowing people to choose the webview. Technically someone could still use the older one if they wanted to be lazy about it, but this would allow the ability to switch over to crosswalk as an option? > I think this is more of a concern with corporate applications that are > side-loaded than apps from the Play Store. Given that alone we should at > least try and address it by releasing 4.0.x. That still doesn't address > all the things, but it at least gives some options. Again I would really hope that if your corporation has spent the money getting an application built it would simply be built with security in mind. I am probably being over optimistic about developers here but one would think allowing any holes for external code to get trigged for your internal corporate app is a big no no... -ross
