We did a VAPT assessment and we were informed about this issue after the assessment
“While using PhoneGap/Cordova to develop an application, always try to whitelist the URL via which it connects. Without Domain Whitelisting, an attacker can load any domain in an iframe and any script on that page within the iframe can directly access Cordova JavaScript objects and the corresponding native Java objects”
For this they are suggesting to make changes in android/app/src/main/res/xml/config.xml
this file from <access origin="*" />
to something like this
<access origin="
domain1.com
,
domain2.com
" />
.
But we use too many other clients’ libraries for data analysis purposes, we can’t add all the domains here.
Is there any better solution or anyone solved it in another way?
1 post - 1 participant