Overview
Syllabus
Intro
Hybrid mobile apps
The architecture of Apache Cordova
Example app
One framework, many names
Cordova in the real world
What we have learned: plugin use
Why is it hard to the the security of hybrid apps
Example: Get Phone Number
Weak spot: JS Java bridge
Exploiting the JavaScript to Java bridge (CVE-2013-4710)
Never use http without SSL, or even iframes! Device
Recommendations: the (hopefully) obvious parts
Recommendations: we should not forget
Did you know
Recommendation: use the latest framework version
If you are using static analysis: Considerations
If you are using static analysis: Recommendations
If you are using dynamic analysis (e... pen testing)
Conclusion
Taught by
OWASP Foundation