Hey So, to those of you in security circles, this isn't going to come as any surprise, but it's time we opened up this can of worms:
We got this security advisory over the break, and because it was over the holiday break, we didn't respond to it before it made it to BugTraq! As you probably already know, the whitelist doesn't actually work on Android 2.3.x for any inline assets, including iFrames. So, those of you who are using HTML-based ads in your app need to stop doing that ASAP! (I'm not kidding, the certificate pinning should have been your first hint.) Anyway, I propose we do the following: * Drop support for Android 2.3.x - I don't care if it's 20% of the market, if an insecure 20% and people need to stop targeting it because of how insecure it is. We can't fix it, and Google and handset makers have no interest in fixing it either. It's the IE6 of Mobile, and Android 2.3.x needs to die. (In hindsight, I feel bad for giving a friend of mine my old HTC Desire HD. :( ) * Drop support for Cordova 2.9 - I think we're at the six month window for this already, and we've only issued one point release after 2.9.0. * Implement NoFrak as a configurable option for people who aren't scared of the lack of certificate pinning * Remove support for addJavascriptInterface for any platform that uses NoFrak below Jellybean and force them to use prompt Now, I started work on moving NoFrak to 3.x on my own personal fork once the PoC author signed the ICLA, and you can find the branches on my GitHub: https://github.com/infil00p/cordova-android/tree/SecureToken https://github.com/infil00p/cordova-js/tree/SecureToken If we decide to do this, I'll copy the branch over to the official cordova-android and cordova-js repos and we can work on that fork there. Right now it builds, but that's about it. I haven't re-written the exec method yet. Since we're moving this from a 2.9.x based version of Cordova to the current tree, there's probably a lot of code that can be refactored and removed. It also needs a lot of cleanup, so any help with that would be awesome. Also, we're going to need tests if we're going to add this as a feature. This is a lot of code, but it's probably a good idea to add this. Joe
