search

apache / cordova-ios

Apache Cordova iOS
https://cordova.apache.org/
Apache License 2.0
2.15k stars 988 forks source link

Can the hostname be set at runtime? #1086

Closed sdemir60 closed 3 years ago

sdemir60 commented 3 years ago

Our users set their server addresses themselves from our application. It connects to the servers of its own company. Can the hostname be set at runtime?

breautek commented 3 years ago

No. Servers must be allow list ahead of time and cannot be changed during runtime.

Why?

In the event of a malicious code execution, the allow list will prevent data from being sent to their malicious servers, assuming the allow list is configured as restrictive as possible.

If the app could change the allow list during runtime, it will break this damage mitigation as the malicious actor could then simply update the allow list themselves.

Most Ideal Scenario

I obviously have no clue about your product or infrastructure, but I'll explain a workaround that, in my opinion would be the most secure way of dealing with your issue. This may or may not be possible for your project for a number of different reasons, cause I'll be making a number of assumptions.

Firstly, you could just open the gates by allowing any and all servers to communicate with your app, but for reasons above this would not be recommended.

The app should communicate with a single server, which is a proxy server which will then communicate with your clients server address. This shouldn't be configurable from the app itself but through a web portal. The app can then white list your proxy server, and your proxy server should only allow requests to be made on the behalf of the client to what they have configured.

In this configuration, should the app be vulnerable to remote code execution, the damage mitigation haven't been defeated as the app can only communicate with the proxy server and the proxy server should only allow client to communicate with their configured server. This also has the added benefit that you can configure CORS properly and not have to worry about your clients implementing CORS wrong.

Disclaimer: I'm not a security engineer.

Because this isn't a bug, I'll be closing this issue. If you would like to discuss more on this subject, our Slack community can probably help.

Cheers, Norman