JQuery Mobile + Phonegap Security

Question

JQuery Mobile + Phonegap Security

I am new to developing Html 5 for smartphones and tablets, and am currently in the Html 5, CSS, jQuery Mobile and PhoneGap project.

The application communicates with the server through the SOAP web service running through XMLHttpRequest. And as a newbie, I wanted to know what problems I should take to ensure the security problem in the application, if I have to resort to plugins, data encryption, etc., Everything I need to use for security.

Username and password confirmation is not used. Do not skip settings between pages. I do not use php. I don’t know if this works to circumvent code visibility because I am developing for Android and iOS.

For my inexperience, conditionally use global variables in. Js to save username and password for accessing other web search methods. Please contact this security issue for help because I don’t know where to start, continue and end.

Thanks!

+7

javascript security html5 jquery-mobile cordova

Victor Dec 14 '12 at 19:26

source share

4 answers

Your particular technology stack is no different than any other web application. You will still be vulnerable to a large number of vulnerabilities.

Of its sounds, you are concerned about a client-side vulnerability that you must consider. If so, there are a few things to consider.

If you use HTML5, make sure that any local API you use is secure. OWASP has a good list of best practices to follow https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet , only a few of them may be applicable to your specific application.
Any type of protection you intend to implement for XSRF, or CSS (Cross-Site Scripting or XSS), will be in vain. The only type of protection that will work in all directions is those that are implemented on the server side of the application (PHP in this example).
In addition, if you want the data to be encrypted when transmitted over SSL, this should be processed by the server (the endpoint of the SOAP web service). If this is not possible, then a more difficult alternative would be to use WS-Security ( http://en.wikipedia.org/wiki/WS-Security )

+2

eliteparakeet Feb 28 '13 at 10:41

source share

The same security and considerations as Webapps, and NEVER use apis private keys like parse, stackmob, google or bing maps in your phonegap projects.

0

Mariano Montañez Ureta Feb 22 '13 at 15:35

source share

In addition to the following comments ... I would suggest using HTTPS / SSL + OAUTH (or some other token based mechanism), passing username / password with every request ... although simple HTTP authentication works.

0

Tracker1 Mar 01 '13 at 0:33

source share

Andrew Trice · Accepted Answer · 2013-02-22T15:30:24+0000

There is a very detailed breakdown of PhoneGap and security at: https://github.com/phonegap/phonegap/wiki/Platform-Security

In a nutshell, if you are concerned about data transmission "over the air", use a server with SSL, as in a web application. If you are concerned about device encryption, it is delegated to the default security mechanisms for the operating system.

JQuery Mobile + Phonegap Security

More articles: