How to disable PhoneGap APIs/functionality?

2020-05-01 08:15发布

Is there a recommended way to remove access to unneeded PhoneGap APIs?

For example our app does not need to access the contact database.

With normal web pages, an XSS vulnerability is sandboxed to only affect one site (the browser prevents any contagion to other sites). With a PhoneGap application, by default, an XSS vulnerability can access the contacts list or any other part of the PhoneGap API.

I want to avoid the Skype situation where an XSS vunerability in Skype allowed an attacker to copy the address books of their users: http://www.macnn.com/articles/11/09/20/users.address.books.could.be.copied/

2条回答
混吃等死
2楼-- · 2020-05-01 08:39

In your app, under PhoneGap.plist/Plugins, remove any rows for plugins that are not needed - this will remove access from JavaScript.

查看更多
放我归山
3楼-- · 2020-05-01 08:43

PhoneGap is Open Source. You could make your own copies of the PhoneGap.js files with those functions disabled (put return false; as the first line of the function or something).

On Android you can do it with the permissions in the AndroidManifest.xml file, but as far as I know, there is not such feature for iOS.

查看更多
登录 后发表回答