Crash on app launch without tampering

[DevChawda07]

Hi, I added this plugin in my cordova project. And have kept it as default behavior . It crashes the release build app even though i done any tampering in the project files . Feel free to ask for more details. Ionic ver - 2.2.1

[yadujaryal]

have u found solution? Same issue with me.

[DevChawda07]

have u found solution? Same issue with me.

Didnt yet!

[duddu]

@DevChawda07 @yadujaryal Sorry I didn’t get back to you earlier. Which version of Cordova you using and which platforms?

[yadujaryal]

Cordova 9.0.1 platform android iOS both

On Sat, Jul 20, 2019 at 4:44 PM Duddu notifications@github.com wrote:

@DevChawda07 https://github.com/DevChawda07 @yadujaryal https://github.com/yadujaryal Sorry I didn’t get back to you earlier. Which version of Cordova you using and which platforms?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZASNPY2X6OWYNUYT4TQALXSJA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NMFPQ#issuecomment-513458878, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZE6PRZ6WYZBD52FN2TQALXSJANCNFSM4HQKZRLA .

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

[duddu]

I just released on npm the version 0.4.0 with a fix for Cordova 9. Can you try to install that one and see if the issue persist please?

[yadujaryal]

I have tried and getting NSLog(@"Anti-Tampering check failed! %@: %@", [exception name], [exception reason]);

    *int* *x = *NULL*; *x = 7;

on iOS

On Sun, Jul 21, 2019 at 4:47 AM Duddu notifications@github.com wrote:

I just released on npm the version 0.4.0 with a fix for Cordova 9. Can you try to install that one and see if the issue persist please?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZAWLIWJOTXFYDUYQDDQAOMIPA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NXVGA#issuecomment-513505944, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZFYXEID3ADTJ6I3IJ3QAOMIPANCNFSM4HQKZRLA .

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

[yadujaryal]

without any tampering , I am testing on simulator.

On Sun, Jul 21, 2019 at 4:48 AM yadu jaryal yadujaryal@gmail.com wrote:

I have tried and getting NSLog(@"Anti-Tampering check failed! %@: %@", [exception name], [exception reason]);

    *int* *x = *NULL*; *x = 7;

on iOS

On Sun, Jul 21, 2019 at 4:47 AM Duddu notifications@github.com wrote:

I just released on npm the version 0.4.0 with a fix for Cordova 9. Can you try to install that one and see if the issue persist please?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZAWLIWJOTXFYDUYQDDQAOMIPA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NXVGA#issuecomment-513505944, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZFYXEID3ADTJ6I3IJ3QAOMIPANCNFSM4HQKZRLA .

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

[duddu]

Strange, the test on sauce labs with Cordova 9 on iOS simulator look fine - let me add some tests for false negatives and see if I can replicate your problem.

[yadujaryal]

I am also using file crypt. same issue with android on real devices.

On Sun, Jul 21, 2019 at 4:54 AM Duddu notifications@github.com wrote:

Strange, the test on sauce labs with Cordova 9 on iOS simulator look fine

• let me add some tests for false negatives and see if I can replicate your problem.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZBDR3WDJ5XR2TJBW2LQAONB5A5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NXXNI#issuecomment-513506229, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZB7INQFFGZNGQDYISDQAONB5ANCNFSM4HQKZRLA .

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

[yadujaryal]

Anti-Tampering check failed! PathNotFoundException: No readable path retrieved for file fusioncharts/assets/.DS_Store

this is in console.

On Sun, Jul 21, 2019 at 4:55 AM yadu jaryal yadujaryal@gmail.com wrote:

I am also using file crypt. same issue with android on real devices.

On Sun, Jul 21, 2019 at 4:54 AM Duddu notifications@github.com wrote:

Strange, the test on sauce labs with Cordova 9 on iOS simulator look fine

• let me add some tests for false negatives and see if I can replicate your problem.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZBDR3WDJ5XR2TJBW2LQAONB5A5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NXXNI#issuecomment-513506229, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZB7INQFFGZNGQDYISDQAONB5ANCNFSM4HQKZRLA .

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

[yadujaryal]

this file actually not exist in my original www folder.

On Sun, Jul 21, 2019 at 4:59 AM yadu jaryal yadujaryal@gmail.com wrote:

Anti-Tampering check failed! PathNotFoundException: No readable path retrieved for file fusioncharts/assets/.DS_Store

this is in console.

On Sun, Jul 21, 2019 at 4:55 AM yadu jaryal yadujaryal@gmail.com wrote:

I am also using file crypt. same issue with android on real devices.

On Sun, Jul 21, 2019 at 4:54 AM Duddu notifications@github.com wrote:

Strange, the test on sauce labs with Cordova 9 on iOS simulator look fine - let me add some tests for false negatives and see if I can replicate your problem.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZBDR3WDJ5XR2TJBW2LQAONB5A5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NXXNI#issuecomment-513506229, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZB7INQFFGZNGQDYISDQAONB5ANCNFSM4HQKZRLA .

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

[duddu]

@yadujaryal those file are automatically generated on Mac OS filesystem. In the meantime can you try exclude DS_Store extensions using the EXCLUDE_ASSETS_EXTENSIONS plugin variable (look at the readme)?

[yadujaryal]

I have already done and its working on ios, but still needs to test on Android. Can u tell me how to test the plugin on ios app if it's working or not. Thank so much.

On Sun 21 Jul, 2019, 2:44 PM Duddu, notifications@github.com wrote:

@yadujaryal https://github.com/yadujaryal those file are automatically generated on Mac OS filesystem. In the meantime can you try exclude DS_Store extensions using the EXCLUDE_ASSETS_EXTENSIONS plugin variable (look at the readme)?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZDV2S2Z54R6RD2ZOGLQAQSIRA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2N7LTA#issuecomment-513537484, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZGWGLD2MD4VYYUAHJDQAQSIRANCNFSM4HQKZRLA .

[yadujaryal]

I want to test plugin on ios, anyway to test.

On Sun 21 Jul, 2019, 4:07 PM yadu jaryal, yadujaryal@gmail.com wrote:

I have already done and its working on ios, but still needs to test on Android. Can u tell me how to test the plugin on ios app if it's working or not. Thank so much.

On Sun 21 Jul, 2019, 2:44 PM Duddu, notifications@github.com wrote:

@yadujaryal https://github.com/yadujaryal those file are automatically generated on Mac OS filesystem. In the meantime can you try exclude DS_Store extensions using the EXCLUDE_ASSETS_EXTENSIONS plugin variable (look at the readme)?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZDV2S2Z54R6RD2ZOGLQAQSIRA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2N7LTA#issuecomment-513537484, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZGWGLD2MD4VYYUAHJDQAQSIRANCNFSM4HQKZRLA .

[duddu]

If you want to manually test, you are gonna have to manually tamper with your assets :) You can have a look at the tests folder: I'm tampering with the index.html of a demo cordova app, and testing with appium and saucelabs to verify that the tampering is actually detected by the plugin. To get an overview you can look at the logs on travis-ci, e.g.: https://travis-ci.org/duddu/cordova-plugin-antitampering/builds/561477790

[yadujaryal]

Thanks

On Sun 21 Jul, 2019, 6:06 PM Duddu, notifications@github.com wrote:

If you want to manually test, you are gonna have to manually tamper with your assets :) You can have a look at the tests folder: I'm tampering with the index.html of a demo cordova app, and testing with appium and saucelabs to verify that the tampering is actually detected by the plugin. To get an overview you can look at the logs on travis-ci, e.g.: https://travis-ci.org/duddu/cordova-plugin-antitampering/builds/561477790

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZESFIWNAGLOFNTPURTQARJ3RA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2OCSMA#issuecomment-513550640, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZDMHNJTTQLLQYJRQVLQARJ3RANCNFSM4HQKZRLA .

[yadujaryal]

hi, for testing plugin for android apk i am using apk editor then changing code and build and then install plugin not detecting any changes. is there anything i am doing wrong.

On Sun, Jul 21, 2019 at 6:06 PM yadu jaryal yadujaryal@gmail.com wrote:

Thanks

On Sun 21 Jul, 2019, 6:06 PM Duddu, notifications@github.com wrote:

If you want to manually test, you are gonna have to manually tamper with your assets :) You can have a look at the tests folder: I'm tampering with the index.html of a demo cordova app, and testing with appium and saucelabs to verify that the tampering is actually detected by the plugin. To get an overview you can look at the logs on travis-ci, e.g.: https://travis-ci.org/duddu/cordova-plugin-antitampering/builds/561477790

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZESFIWNAGLOFNTPURTQARJ3RA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2OCSMA#issuecomment-513550640, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZDMHNJTTQLLQYJRQVLQARJ3RANCNFSM4HQKZRLA .

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

[duddu]

The tamper needs to happen after you build. You install the plugin, build the apk, then tamper with some file in the www folder. Then the plugin should detect and crash the app. Follow the steps on the tests, they should be quite straightforward.

[duddu]

@DevChawda07 Anything from your side?

[yadujaryal]

means if someone make changes in code then build apk again then this plugin not detect tampering. This plugin only works in run time or if change made to same build.

On Mon, Jul 22, 2019 at 2:43 PM Duddu notifications@github.com wrote:

The tamper needs to happen after you build. You install the plugin, build the apk, then tamper with some file in the www folder. Then the plugin should detect and crash the app. Follow the steps on the tests, they should be quite straightforward.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZH46TKGE45QIXDCNHLQAV23RA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2PJOQQ#issuecomment-513709890, or mute the thread https://github.com/notifications/unsubscribe-auth/AMOPRZBSUWCGGU7IR65RO3LQAV23RANCNFSM4HQKZRLA .

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

[duddu]

No, tampering means that an attacker gets his hand on your apk already released on a store. He tamper with it, then he releases his own version of the apk somewhere else, fishing users to think that’s the original one. In order for the attacker to re-build the application completely as you are saying, using Cordova, he would need to possess the full source code, which is not the case in the real world.

On Mon, 22 Jul 2019 at 12:29, yadujaryal notifications@github.com wrote:

means if someone make changes in code then build apk again then this plugin not detect tampering. This plugin only works in run time or if change made to same build.

On Mon, Jul 22, 2019 at 2:43 PM Duddu notifications@github.com wrote:

The tamper needs to happen after you build. You install the plugin, build the apk, then tamper with some file in the www folder. Then the plugin should detect and crash the app. Follow the steps on the tests, they should be quite straightforward.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub < https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=AMOPRZH46TKGE45QIXDCNHLQAV23RA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2PJOQQ#issuecomment-513709890 , or mute the thread < https://github.com/notifications/unsubscribe-auth/AMOPRZBSUWCGGU7IR65RO3LQAV23RANCNFSM4HQKZRLA

.

-- Thanks & Regards

Yadvender (C.O), IT CELL, HPSEBL, SHIMLA-4.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/duddu/cordova-plugin-antitampering/issues/19?email_source=notifications&email_token=ACMY2MPWBWADLP3MYARYYPDQAWKYZA5CNFSM4HQKZRLKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2PUA7Q#issuecomment-513753214, or mute the thread https://github.com/notifications/unsubscribe-auth/ACMY2ML3Y66R6GR525A2E7DQAWKYZANCNFSM4HQKZRLA .

[duddu]

closing this one since it looks like the original issue has been addressed. please feel free to re-open or reply in case there is anything else on this, or in case you have other questions.

[lukas2]

Just wanted to add that I had this problem when switching to a newer version of cordova-ios. In my case it was the file .eslintrc.yml, which shouldn't be packaged anyway. The solution was to add the file without the leading '.' to EXCLUDE_ASSETS_EXTENSIONS of this plugin. However, it would be nice, if EXCLUDE_ASSETS_EXTENSIONS wasn't just about extensions, but files in general. (Even though it works with any filename, because the regex happens to be new RegExp('.*\.(' + extensions.join('|') + ')$'); and the first "dot" is optional.

[RobinGiel]

@lukas2 I also have this problem: exception NSException * name: @"PathNotFoundException" - reason: @"No readable path retrieved for file cordova-js-src/.eslintrc.yml"" this is happening with cordova ios 5.1.1.

with EXCLUDE_ASSETS_EXTENSIONS="eslintrc.yml" I still got the same error. Did you manage to make this work?

[sigfriedabouchrouch]

@RobinGiel were you by any chance able to make it work? If not, based on @duddu 's documentation, we should only add the extension of the file instead of the file name, making it as an end result: --variable EXCLUDE_ASSETS_EXTENSIONS="yml"

[DevChawda07]

@DevChawda07 Anything from your side?

Hello @duddu I remember posting this issue, also I didn't get a particular solution at that point of time. I did some research back then, as I longer work on mobile apps I don't remember any of the stuff to help you guys out. Sorry for replying after years.