search

duddu / cordova-plugin-antitampering

Verify the integrity of cordova static assets - Android / iOS
MIT License
22 stars 20 forks source link

How to integrity all of static files? #16

Open WuglyakBolgoink opened 6 years ago

WuglyakBolgoink commented 6 years ago

Hallo @duddu!

In last pentest feedback we got finding with title "not enough integrity" again :). Because plugin check only ASSETS-folder. Is it possible to do this check for all files? Or I didn't understand the workflow of this plugin?

My www-folder looks like this: image

WuglyakBolgoink commented 6 years ago

Update:

"assets"-folder was not enough. Because bad guy can change resources from res folder and add some options...

As a solution, we can implement something like this:

public boolean checkIntegrity(Context mContext){
            PackageManager pm = mContext.getPackageManager();
            try{
                PackageInfo appInfo = pm.getPackageInfo(mContext.getPackageName(), PackageManager.GET_SIGNATURE);
                String sig = appInfo.signatures[0].toCharString();

                // hier should be checked Signature
            }
            catch(Exception e){}
}

Memo:

ederEnriquez commented 6 years ago

Hi @WuglyakBolgoink do you have a solution for this?

AntonioHervert commented 6 years ago

Can you support me? how can I do that implementation, I have a project with which it is required that they are not modified neither assets nor res, thank you in advance

WuglyakBolgoink commented 5 years ago

Hallo guys! can anyone with android/iOS skills help us?