About "Mobile AppSec Verification Standard"

[ilovepumpkin]

Hello,

We have a mobile app based on Cordova, Now I was asked to answer if this app meets the requirements listed in Mobile AppSec Verification Standard, especially the following two:

• https://mobile-security.gitbook.io/masvs/security-requirements/0x15-v8-resiliency_against_reverse_engineering_requirements
• https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment

Could you please let me know where I could find the such information about how cordova-android supports the requirements listed in the above links?

[breautek]

We have a security page that talks about some stuff, plus it contains additional links for whitepaper on hybrid app security in general.

Generally speaking though, hybrid apps are not very resilient to reverse engineering. It's very easy to unpackage native apps (Android APKs for example are simply just zip files) and app assets can be easily read by anybody. Just like any web app, the source code can easily be read and copied. This is noted in our security page linked above.

Of course you can use webpack and other obfuscating tools to minimise or make the source code harder to understand, but in no way prevent reverse engineering.

It's also worth mentioning too that it's not very difficult to reverse engineer java applications either, they are plethora of "decompilation" tools available to take java's bytecode and build somewhat readable java source code.

Generally speaking, If you have top-secret software/algorithms that must not be discovered, then it isn't safe to give it to the client, regardless of the platform you use to build the client application. That's one of the main benefits of Software-as-a-Service models, so that you can keep your top-secret stuff safe on your servers and only expose what you need to expose through APIs.

As for the second link for environment, a lot of these can be subjective. For example, javascript is not disabled in webviews because that would break the core functionality of most cordova apps. Web storage is not cleared before the webview is destroyed as that is a common practice for storing insensitive data, etc. Additionally, there are many points here that the default settings are set for security, but developers can opt to turn features off (such as enabling file:// access).

While Apache makes an effort to keep things as secure as possible, it is completely volunteer-driven. Therefore if you require a certain level of security proof, it may be wise to hire a cyber-security expert to vet the code. All Apache's code is open source and free to be examined after all.

Lastly, should there be any security issues found, they can be reported through Apache's Vulnerability Reporting Process.

Closing because there isn't really anything more that I can provide. If you have any further questions, I would invite you to ask our Slack community.