The Ionic team has released an important security update to cordova-plugin-ionic-webview
to address a flaw in the embedded webserver used in previous versions of the plugin that could allow a specially-crafted application to access the webserver from another app.
Thank you to the Papers.ch team for responsibly disclosing the issue and working with us to get it resolved quickly. Papers.ch, a software company with a focus on mobile security.
To ensure your applications are free from any potential vulnerability, please update cordova-plugin-ionic-webview
to one of the following versions:
- v3.0.0 if you no longer need to support iOS 10.
- v2.3.1 if you need to continue supporting iOS 10.
To update, see the instructions at the bottom of this post.
More information
This security patch resolves an issue in the embedded webserver used in previous versions that could allow specially-crafted applications to access the web server from other apps in rare cases.
While this issue raises security concerns, Ionic has not seen any reports of a credible exploit and our engineers have confirmed no data was ever at risk as app state, local storage, and all other data remains sandboxed by the OS.
Exploiting the issue would be very challenging in the wild.
Nonetheless, out of an abundance of caution Ionic recommends all users update to one of the above versions as early as possible.
Which version is right for you?
Version 3.x is our long-term recommended version and removes the internal webserver used in previous versions, along with dropping support for iOS 10 due to new APIs that are only available in iOS 11 and above.
v2.3.1 maintains iOS 10 support, and allows for deactivation of the internal web server on iOS 11+.
As of January 1st 2019 only 8% of iOS devices use iOS 10 or lower. If iOS 10 support is required v2.3.1 or greater can be used.
Additionally, if using 2.3.1, we strongly recommend disabling the webserver on iOS 11+ and configuring a new port (instead of 8080) for your app to run on by setting the following preferences in config.xml
:
<preference name="UseScheme" value="true" />
<preference name="WKPort" value="9634" />
Most configurations will also need to whitelist the selected port.
<allow-navigation href="http://localhost:9634/*" />
What platform(s) are affected?
iOS: Low Risk
Android: No Risk
- Android applications are unaffected by this vulnerability.
Is my application at risk?
The vulnerability may be present in your application if any of the following are true:
- You are using
cordova-plugin-ionic-webview
v2.1.4 or lower - You are using
cordova-plugin-ionic-webview
v2.3.1 or lower with the default port.
Verify plugin versioning:
Download and extract your release app from the App/Play store. The specific version of every installed plugin is available in cordova_plugins.js
:
-
iOS: located at
Payload/<app name>.app/www/cordova_plugins.js
-
Android: located at
assets/www/cordova_plugins.js
Example:
// TOP OF METADATA
{
"cordova-plugin-whitelist": "1.3.3",
"cordova-plugin-statusbar": "2.4.2",
"cordova-plugin-device": "2.0.2",
"cordova-plugin-splashscreen": "5.0.2",
"cordova-plugin-ionic-keyboard": "2.1.3",
"cordova-plugin-ionic-webview": "2.3.1",
"cordova-plugin-file": "6.0.1",
"cordova-plugin-file-transfer": "1.7.1",
"cordova-plugin-ionic": "5.2.7"
};
// BOTTOM OF METADATA
What can I do?
Update to v3.0.0 (Recommended)
iOS 11+ support only
cordova plugin rm cordova-plugin-ionic-webview
cordova plugin add cordova-plugin-ionic-webview@latest
Update to v2.3.1
iOS 10+ support
cordova plugin rm cordova-plugin-ionic-webview
cordova plugin add cordova-plugin-ionic-webview@2.3.1 --save-exact
To ensure your applications are free from any potential vulnerability you must take the following steps.
Please Note: A new native build and submission to the App/Play Store is required to update the plugin.
Ionic Appflow Deploy users: After updating cordova-plugin-ionic-webview
it is also necessary to update cordova-plugin-ionic
to v5.
cordova plugin add cordova-plugin-ionic@latest --save \
--variable APP_ID="<your appflow id>" \
--variable CHANNEL_NAME="<your channel>" \
--variable UPDATE_METHOD="<your update method>"
Deploy API users must ensure that only v5 methods are used in their update logic. The legacy Deploy API is not supported in cordova-plugin-ionic
v5.0.0 and higher. Details on all API methods are available in the plugin docs.
Comments
0 comments
Article is closed for comments.