开发者

How to disable PhoneGap APIs/functionality?

Is there a recommended way to remove access to unneeded PhoneGap APIs?

For example our app does not need to access the contact database.

With normal web pages, an XSS vulnerability is sandboxed to only affect one site (the browser prevents any contagion to other sites). With a PhoneGap application, by default, an XSS vulnerability can access the contacts list or any other part of the PhoneGap API.

I want to avoid the Skype situation where an XSS vunerability in Skype allowed an attacker to copy the address books of their users: http://www.macnn.com/articles/11/09/20/users.address.books.could.be.copie开发者_开发百科d/


In your app, under PhoneGap.plist/Plugins, remove any rows for plugins that are not needed - this will remove access from JavaScript.


PhoneGap is Open Source. You could make your own copies of the PhoneGap.js files with those functions disabled (put return false; as the first line of the function or something).

On Android you can do it with the permissions in the AndroidManifest.xml file, but as far as I know, there is not such feature for iOS.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜