I am interested to learn about the security of Cordoba for building applications. So, after the application is installed on the user device, can the adversary or another application / virus with root privileges change the HTML and / or Javascript sources that are stored in the WWW folder of my Cordova application?
I know that I should not use eval in an application for Cordoba, but if opponents can modify Javascript, they can do the same damage as eval.
I am worried about a scenario like:
- The user installs the application.
- An adversary has a phone for several minutes or enough time to modify Javascript to expose or send runtime information, such as global variables.
- An attacker adds Javascript code that sends session keys to a domain or via email. Or, if the domain whitelist is used correctly, the attacker simply stores them in a persistent store that he / she can subsequently extract.
Is this a real problem?
source share