How to dynamically change Cordova whitelist?

Asked 17/3, 2017 at 9:28 Answered 19/12, 2017 at 19:16

cordova dynamic whitelist white-labelling

We have an application that has multiple whitelabel solutions for clients - meaning they are hosted under their own domain.

We have one Cordova app and we want that users can visit all these sites with this app, but I don't want to redeploy everytime we sign a new client.

is there a way to get to load the whitelist through a url or something? This would mean we can add domains on the fly through our database.
is there a huge security risk when you whitelist all urls?

https://cordova.apache.org/docs/en/latest/guide/appdev/whitelist/

Example

To clarify, I would love to have something like a URL that you can point to where it loads everytime on startup the whitelist settings.

http://myexampledomain.com/whitelist.config

  <allow-navigation href="*.myexampledomain.com/*" />
  <allow-navigation href="*.subdomain.someclientdomain.com/*" />
  <allow-navigation href="*.subdomain.someclientdomainb.com/" />
  <allow-navigation href="*.subdomain.someclientdomainc.com/" />

...this file would be automatic loaded on startup.

Creating a JS based plugin

If there's not current solution, is it possible to do this safe by creating a (JavaScript based) Cordova plugin? Like manually redirecting when the URL we try to load is outside a whitelist?

This means we would Cordova-whitelist everything and use our own plugin to block out everything outside our own whitelist.

(I am aware this is not safe when our database is compromised, but in that case we have bigger problems in general. Our app is for fun and does not rely on critical functionality)

Hostile answered 17/3, 2017 at 9:28 Comment(2)

i dont think that there is a straight forward way. One approach what i could think of is to have allow navigation set to * wildcard and route all the requests to a server side which handles the filtering of requests in the filters and redirect to respective URLs – Till 24/3, 2017 at 6:16

Dirk, what is your target platform(s)? If iOS is included then I'm afraid there is nothing you can easily do. This is because according to the docs whitelisting seem to use NSAppTransportSecurity inside which goes to a property file of the compiled app (bundle). And that configuration is handled by the iOS/Apple's Networking framework itself so you can't change it "on the fly". So your custom plugin is probably the only way. – Deenadeenya 28/3, 2017 at 4:5

There is no mechanism for dynamically updating the whitelist of an app once built. This would largely defeat the security of offering a whitelist in the first place.

The security risk for whitelisting everything is extremely high, especially if you are loading sites you don't own. Loading those sites into your app's main frame gives them access to the same Cordova bridge to which your app has access -- which means those pages can use the same plugins installed in your app. (Note: Opening those links in the In App Browser or externally does not share the same risks, since that doesn't provide access to the Cordova bridge.)

Side note: the risk is also high even if you use sites you own: should a MITM attack be successfully executed OR your backend hacked malicious content could be served to the end user.

Without knowing more about how your service works, it's hard to offer much more assistance, but I would suggest building a separate app for each client. You can create scripts that automate (almost) everything so that releasing updates to your clients isn't onerous.

Butterfat answered 17/3, 2017 at 17:50 Comment(1)

Hi @Kerri Shotts, thanks for your answer. Why would a db backed whitelist defeat the security? Wouldn't this mean our database has been compromised - and that we have bigger problems? Our app is not really a critical app - it's a platform for prediction games (for fun). We're a really small team, so releasing an app for every user is not an option for us. I wonder if we could write a plugin on our own or something for this. – Hostile 20/3, 2017 at 22:51

Here are a couple more options from my experience here:

Open the URLs with the InAppBrowser plugin and the '_system' target. This should open the URL in the native browser, with the URL in full view. This seems to be allowed without whitelist adjustments.
```
window.open(url, '_system', 'location=yes,enableViewportScale=yes');
```
If you need to stay in your app (and not open the native browser), you could do a hacky work-around where you load a page that you control and trust, and pass it a dynamic URL. On that page you could then have a iframe whose source is dynamically changed based on the passed in parameters. The app could pass in the desired URL via querystring, then just change the iframe from there.
Obviously it'd be good to limit the URLs that you'll allow there to a list you control.

Replete answered 19/12, 2017 at 19:16 Comment(0)

Recommended topics

Hot tags