Phonegap security enchancements

[tleyden]

After https://github.com/couchbase/couchbase-lite-java-listener/issues/35 has been fixed, there are still known security issues with phonegap. An app running on the same device that was able to run a sniffer (eg, libpcap -- meaning the device would probably need to be rooted), would be able to sniff the basic auth parameters and use them to connect to the couchbase lite rest endpoint.

Possible solutions:

• Use https to prevent sniffing -- see https://github.com/couchbase/couchbase-lite-java-listener/issues/28
• Use digest auth rather than basic auth

[tleyden]

From http://lanrat.com/android-wifi-sniffing/:

Promiscuous mode requires the hardware driver to support it. Currently android drivers do not support this, so that is unlikely.

[tleyden]

Another relevant thread: http://stackoverflow.com/questions/11875020/how-to-capture-network-packet-in-android-without-using-any-root-permissions

[NitzDKoder]

@hideki What is the latest plan on this? Pls confirm..

[hideki]

Hi @NitzDKoder, You can enable SSL on Listener module. But you need to modify the Java code. Some of our user already does this.

[hideki]

Note to Self: CBL Android Listener can support SSL. So we might be able to close this ticket.

[hideki]

Using SSL in P2P Replications

http://developer.couchbase.com/documentation/mobile/1.2/develop/guides/couchbase-lite/tech-notes/p2p-replications-ssl/index.html

[NitzDKoder]

@hideki "You can enable SSL on Listener module. But you need to modify the Java code. Some of our user already does this." http://developer.couchbase.com/documentation/mobile/1.2/develop/guides/couchbase-lite/tech-notes/p2p-replications-ssl/index.html

Pls brief more on the above, what changes is needed at java..only cert feeding is enough??

Queries: 1)How to avoid the 3rd party app access the CBL server using REST requests.(Knowing the db name and credentials).?

2) How https is achieved and does it cover server and Client certificate validation.

https://docs.oracle.com/cd/E19528-01/819-0997/6n3cs0brm/index.html#aakhc https://docs.oracle.com/cd/E19528-01/819-0997/6n3cs0brm/index.html

Even after doing https the 3rd party can access the data (Knowing the db nam/credentials/ certificate information)?

3) @snej How is the iOS behavior? Local CBL server is not accessible from 3rd party app?

https://github.com/couchbase/couchbase-lite-ios/blob/master/Source/CBL_URLProtocol.m#L70

4)When is Digest auth will be implemented for JS to CBL listener module communication?

Above seems to be a major security flaw..Pls share you thoughts how to avoid the same..

Thanks Nithin

[hideki]

@NitzDKoder,

0. Documentation provides info how to activate HTTPS/SSL for P2P environment. Can you tell me what part is not clear?
1. You could set username/password REF: https://github.com/couchbase/couchbase-lite-android-liteserv/blob/master/couchbase-lite-android-liteserv/src/main/java/com/couchbase/liteservandroid/MainActivity.java#L121
2. Approach in documentation just ignores certificate validation at the client side. You might need to research about this.
3. Digest Auth: It should be implemented by 1.5.0 release. But no target date.

[NitzDKoder]

@hideki with above 2 not working.. we need to open this issue.. https://github.com/couchbase/couchbase-lite-java-listener/issues/78

[hideki]

@NitzDKoder, Let me confirm.

1. Does the replicator work between devices with SSL?
2. Do you face the problem between Listener and browser where JavaScript is running with SSL?

If 2. is yes, Can you ask Cordova or PhoneGap community if anyone solved this problem before?

Thanks,

[NitzDKoder]

@hideki have not tried 1) But 2) yes we have problem with cordova based html/javascript stand alone app talking to listener has ssl issue. Will research more on this..

[hideki]

Hi @NitzDKoder, As I am not expert of Cordova/PhoneGap, so I guess it is faster to solve if you could ask this Cordova community.