silkimen / cordova-plugin-advanced-http

Cordova / Phonegap plugin for communicating with HTTP servers. Allows for SSL pinning!
MIT License
400 stars 321 forks source link

Memory leaks sensitive information #458

Closed vinu-vrize closed 2 years ago

vinu-vrize commented 2 years ago

In our application, during the security testing, they were able to get the request and response details from the memory dump. Please find the following details they were able to get from the dump, is there any option or process we can implement to remove this for happening: CordovaHttpPlugin1351829997 CordovaHttpPlugin post https://***.***/login username: password
json Authorization Bearer null Content-Type application/json Accept text ionic

vinu-vrize commented 2 years ago

Got some more details from the security team, the data is collected using "fridump" tool. It can get the in-memory details.

Have anyone faced similar issue or provide any suggestions

silkimen commented 2 years ago

I guess your pen tester team is using a rooted device, right? And then they dump data from memory? This will allow you to get sensitive information from any app.

msathya03 commented 2 years ago

Hi even we are facing the same issue. Our pen tester is able to get the credentials from memory dump using Frida tool. Do you have any action plan to fix this memory leak issue in cordova-plugin-advanced-http plugin? Awaiting for your response. Thanks in advance.

vinu-vrize commented 2 years ago

Hi @msathya03m, for our case we prevented the application to be installed in an rooted device - We stopped users from login when the application detects its installed in an rooted device. Security team was happy with the prevention and have considered the issue resolved.

msathya03 commented 2 years ago

Hi @vv619-perf , Thank you for the update. It will be great if you share the information about the root detection plugin which you used in your application. Currently We are using cordova-plugin-iroot but still pen test team is able to collect the data using Frida tool.

msathya03 commented 2 years ago

Hi @msathya03m, for our case we prevented the application to be installed in an rooted device - We stopped users from login when the application detects its installed in an rooted device. Security team was happy with the prevention and have considered the issue resolved.

Hi @vv619-perf , Thank you for the update. It will be great if you share the information about the root detection plugin which you used in your application. Currently We are using cordova-plugin-iroot but still pen test team is able to collect the data using Frida tool.

vinu-vrize commented 2 years ago

hi @msathya03 we did the following mitigations:

But from my communication with the security team, they were happy when the device was not working in the rooted device and they couldn't get any more data.

msathya03 commented 2 years ago

hi @msathya03 we did the following mitigations:

  • Prevented the application from running on a rooted device, using the plugin ("cordova-plugin-iroot": "^3.1.0")
  • Cleared window cache
  • Local storage was always cleared when the user logged out
  • All the values saved in local storage were encrypted
  • Unused variables in memory were cleared whenever their use was complete

But from my communication with the security team, they were happy when the device was not working in the rooted device and they couldn't get any more data.

Thanks so much !