search

tkyaji / cordova-plugin-crypt-file

This plugin to encrypt the source files.
Apache License 2.0
178 stars 116 forks source link

CordovaResourceApi.OpenForReadResult issue with Unencrypted URI #7

Closed Umaid1 closed 8 years ago

Umaid1 commented 8 years ago

I am trying to open my iFrame URL but it is displaying on HTML in browser, unable to figure out how to show proper iFrame within the browser while using crypt-file. Source enclosed below.

@Override public CordovaResourceApi.OpenForReadResult handleOpenForRead(Uri uri) throws IOException { String uriStr = this.tofileUri(this.launchUri);

    Log.d("TAG", "URL "+uriStr);

    CordovaResourceApi.OpenForReadResult readResult = this.webView
            .getResourceApi().openForRead(Uri.parse(uriStr), true);

    Log.d("TAG", "Check Encryption "+isCryptFiles(uriStr));

    if (isCryptFiles(uriStr) == false) {

            Log.d("TAG", "Check Encryption inside "+isCryptFiles(uriStr));

            //return readResult;
    } else if (isCryptFiles(uriStr) == true) {

        BufferedReader br = new BufferedReader(new InputStreamReader(
                readResult.inputStream));
        StringBuilder strb = new StringBuilder();
        String line = null;
        while ((line = br.readLine()) != null) {
            strb.append(line);
        }
        br.close();

        byte[] bytes = Base64.decode(strb.toString(), Base64.DEFAULT);

        LOG.d(TAG, "decrypt: " + uriStr);
        ByteArrayInputStream byteInputStream = null;
        try {
            SecretKey skey = new SecretKeySpec(CRYPT_KEY.getBytes("UTF-8"),
                    "AES");
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(Cipher.DECRYPT_MODE, skey, new IvParameterSpec(
                    CRYPT_IV.getBytes("UTF-8")));

            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            bos.write(cipher.doFinal(bytes));
            byteInputStream = new ByteArrayInputStream(bos.toByteArray());

        } catch (Exception ex) {
            LOG.e(TAG, ex.getMessage());
        }

        Log.d("TAG","Encryption possible");

        return new CordovaResourceApi.OpenForReadResult(readResult.uri,
                        byteInputStream, readResult.mimeType, readResult.length,
                        readResult.assetFd);

    }

    Log.d("TAG", "Check Encryption outside "+isCryptFiles(uriStr));

    return readResult;

}
mastersmind commented 8 years ago

Loading HTML file in iFrame should be encrypted or you need to add condition in "isCryptFiles" that if URL is outside the application (as everything within app is encrypted) return false (Don't try to decrypt). code like this 

private boolean isOutsideCall(String uri) {
        if(uri.startsWith("file")){
            return false;
        }
        return true;
    }
private boolean isCryptFiles(String uri) {
        if(isOutsideCall(uri))
             return false;
        for (String ext: CRYPT_FILES) {
            if (uri.endsWith(ext)) {
                return true;
            }
        }
        return false;
    }

Another thing which I observe that if website having Middle Man Attack security then it response like that which you have pointed out(showing the code in iFrame). For that we need to override another function through which we skip this plugin for OUTSIDE calls.

    @Override
    public Boolean shouldAllowBridgeAccess(String url) {
        if(url.equals("http://localhost/")){
            return true;
        }
        return null;
    }

Here we check if the request URL is not from Localhost then skip this plugin.

Umaid1 commented 8 years ago

Thank you dear. It worked !

tkyaji commented 8 years ago

Thanks for answer.