Is PhoneGap secure?

How much has phonegap been hardened against attackers? Especially XSS flaws in our own pages, where the PhoneGap API is exposed to an unknown attacker.

For example, is the PhoneGap.exec() command secure on the iPhone?

From JavaScript, the PhoneGap.exec command worries me e.g. PhoneGap.exec(successCB, errorCB, "com.phonegap.contacts","search", [{"fields":fields, "findOptions":options}]); (JavaScript for iPhone target copied from here). The exec command should in theory be restricted, and should only be able to access PhoneGap API classes (com.phonegap.contacts in this example) and methods (e.g. search in this example).

If there is an XSS vunerability in our app then any attacker has an expanded attack surface compared with running in just the browser sandbox. The end user's phone is exposed to to any vulnerabilities in PhoneGap that could allow an attacker to gain access to privileged ObjectiveC code/api's. The only documentation I coul开发者_如何学God find on PhoneGap security was this.

You can control API access by modifying PhoneGap.plist/Plugins and removing any un-needed ones.

With PhoneGap 1.1 (coming soon) - there is a white-list feature (in PhoneGap.plist/ExternalHosts) where only certain external urls can be connected to - either in JavaScript or Objective-C.

This talks about a Cordova/PhoneGap security issues:

http://packetstormsecurity.com/files/124954/apachecordovaphonegap-bypass.txt

"The following email was sent to Apache Cordova/PhoneGap on 12/13/2013, and again on 1/17/2014. As there has been no response, we are re-posting it here to alert the general public of the inherent vulnerabilities in Apache Cordova/PhoneGap." would also concern me if it is true.

On Android if PhoneGap uses addJavascriptInterface() for the bridge, then that has serious security implications:

http://www.droidsec.org/news/2014/02/26/on-the-webview-addjsif-saga.html