1

Y9^kPUfZ9l7_k"L@gkR8

7H7lċÓ�ĩ�Ņ©ĻÖ ĤxēŇ

masahiro@asial.co.jp

2017Ñ2ÿ8øJSSEC L@gkR8]=qjd 2017

2

7H7lċÓ�ĩ

�ĩďŊ• �ĎŰ2002Ñ• ŖĄŠŰ1000r�• zĎâŰć|ŭĄĩŮ�Fp]jpHJE• Ø϶ôŰĴ40¯ŭ8ºijŮ

zĎ�Í• ŢĦ_jPT]=qdzĎŰŢĦQql�UI]mqdoqA• ŢĦðîzĎŰ7_kŢĦ�FqZqF9UŭPHPŮŢĦ• óľzĎŰTmqWpB�½į

3

HTML5fZ9l7_kŢĦ¾Ĩ Monaca

HTML5mJavaScriptx�¯¹fL

� ¤� ¯�V|�¸�¥fLH�

UI­»¿³½¿�Onsen UI9a

$3|=A\�±¿¤

4

fZ9lSZ9J"L@gkR8

5

7LPT − òï/È1'�ÎŔŖĢ4äí�1

5�`I

jZK�

cZ)C

���¾¤5�

´¿º�¥»�

WebhW)C

jZ+

BQ`I

jZ�ps�BQ

¨ ¤½¿�c�BQ

SD�¿¥^�@rBQ

SMSb��BQ

�´¸:1BQ

Bluetoothc�BQ

GPSBQ

6

ŖĢ4È1

Þ¿ŖĢ�ŀ�21

• òïĽ!.0Þ¿4§ĝ�21• òïĽ!.0Þ¿4ñ�5�21• òïĽ!.0Þ¿4�Ŧ�21

đĿŖĢ�ŀ�21

• òïĽ!.0đĿ4�ģ�21

ŖĢ

R!

R!

T'

7

fZ9l7_k!�1Attack Surface

Web API Server DB Server

[Y��¢³

¬�¨�¼� �

£¿�

�¯¹�¿�·¾

­»¿³½¿�/ ¸�®¸¹

OS

Application­¸ �¶´µ¹

WiFiBluetooth

NFC

�¾�¿GPS

8

Y9^kPU7_k�#

9

Y9^kPU7_kűHTML5ůX9R8^

¨�¢�®�¿¥

HTML�¾¢¾¡

�¯¹A�}HTML5x&U

¨�¢�®�¯¹0,xe*©¿¥���BQ��J�Q

¯¸��¾x¨�¢�®BQ�8.

10

Cross PlatformQql"H;7

61%

35%

31%

18%

15%

13%

12%

9%

4%

3%

0% 10% 20% 30% 40% 50% 60% 70%

PhoneGap/Cordova

Xamarin

Unity

Qt

Adobe Air

Appcelerator

Corona

Marmelade

Codename One

Live Code

Using this tool Prioritize this tool

Vision Mobile Analysis of Cross-Platform Development, July 2015

11

Cordova�PhoneGap

Őġ!

PhoneGap#Adobeĩ"_nOAT¯!

�NqfL��

Cordova�´¯>q_pMqJ¤

by

2011ÑAdobeĩ�Nitobiĩ4ŕ¨PhoneGap#�Cordova�!

2009ÑNitobiĩ�PhoneGap4ŢĦ>q_pMqJňµ

�"Ĺĉ "�Ď�CordovaŢĦ!§¡

12

¬<pNq_j9KMEAP�MADP"E7fIgql���èģ

PhoneGap

Monaca

Sencha

MS Visual Studio

SAP Mobile Platform

IBM MobileFirstPlatform

�� ���������������������������

13

Cordova]mqdoqAŭiOS/AndroidŮ

�Àºª �

HTML5CSS

JavaScript

WebView

¨�¢�®¼� �

7_kCqHip[PCqI

¨�¢�®API

AndroidiOS

14

Cordova]mqdoqAŭWindows/Windows PhoneŮ

HTML5CSS

JavaScript

Chakra + EdgeHTML

7_kCqHip[PCqI

¸¾��³API

WindowsjpN9d

(WinRT)

15

Y9^kPU7_k"L@gkR8

16

'2016 OWASP Mobile Top 10 Candidate

Improper Platform Usage

OSBQ���¶¹¢�|�P�|]JnAndroid�¾¢¾¤�«¿² �·¾|gdomKeychain|]Jzyn

Insecure Data Storage

$xzo£¿�k�|�J�6�vzo£¿�FDzyn

Insecure Communication

©¾¥����|gdo��oSSLª¿�·¾|�Jm>��t�wozoc�zyn

Insecure Authentication

[Y�G|���� �·¾OG|�lzyn

Insufficient Cryptography

�_t��~r£¿�{(vwm�%z>���Jn

Insecure Authorization

[��G|��n�¸��¾¤��¥x|[��G�m/�®¸��¾�zyn

Client Code Quality �¿¥»°º|&U�lnª ­��¿ª¿­¼¿�<" �G|gdozyn

Code Tampering ª�¦¹­��º|;u��¹�¿�­��º| ?m�Mz´µ¹|;u�zyn

Reverse Engineering ª�¦¹­��ºp�|�¿��¿¥2�m�J¸�®¸¹��º�¹�³|7�zyn

Extraneous Functionality

ivª �¥�|#��m¹¹¿��¯¹{���w}oszo�´¾¤|Ezyn

17

Y9^kPU7_k"L@gkR8áÜ

• XPToqAś�– WebView/ŭbqI"Œ)ř)�

XHR�"AjaxŮ–X9R8^/ŭAndroid/iOSŮ

• WebView–^j:G<pIp"ŁÔÝ

• CordovaĄ�– Cordova"ŁÔÝ

• _jB9p–_jB9p"ŁÔÝ

• kZqJ<pIW7kpB–nIPA"ĚĖ-EqU"ñ�5

• MqJEqU–MqJEqU"ŁÔÝ

Cordova

7_kCqHip[PCqI

¨�¢�®X\{��&U

JavaScript{��&U

WebView

®¸���¾�¾|S-4

¨ ¤½¿�c�

¹ª¿��¾�§�¹¾�

¯¸��¾&U

¯¸��¾

18

XPToqAś�!Î�1L@gkR8fSl

19

Same-Origin Policy

Same-Origin Policy

Cordova�Đęħ!�ģ�1iOS"UIWebView-Android"WebView#file://_nTEl�Origin� ��0Same-Origin Policy#ŝģ�2 ��.���Content-Security Policy"çË�ÚŊ� 1�

����iOS 9 + Cordova iOS 4.0/�ģ��1�WKWebView�4ģ�1À­�WebView"u�­/Same-Origin Policy�ŝģ�21�+�FqZq�!CORS`POq4~v�1ÚŊ��1�

XPToqAś�!Î�1L@gkR8fSl

20

Access Origin�Allow Navigation

Access Origin

ŎË]69l(config.xmlŮ!�ōŚ�1��ĂZqIip.0Æ»�S]=lT# * ŭ�'�ŏªŮ "�ĕß�ÚŊ�<video>NB-WebSocketİ#�ť�2 ��+�Content Security Policy"�ģ�êÄ�21�

Allow Navigation

Cordova iOS/Android 4.0�s!Ð��2�L@gkR8fSl�Android#cordova-plugin-whitelist"Ð��ÚŊŭS]=lT�ķ)ř)ėŮ�WebView�ŞĬªĿ bqI4�ť�1�S]=lT#file:///ŢÅ�21ŭĭă�!Æ»�1ŮURL!V\DqHip4ŏª�1�

<access origin="http://example.com" /> <access origin="*" />

<allow-navigation href="http://example.com/*" />

XPToqAś�!Î�1L@gkR8fSl

21

Content Security Policy

Content Security Policy

HTML�!<meta>NB4ģ��ōŚ�1�KitKatŭAndroid 4.4Ů�Ť�.%iOS 7�Ť�ÎÛ����Crosswalk4ģ�1����Android 4.0�Ť�ÎÛªĿ�

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">

XPToqAś�!Î�1L@gkR8fSl

• gap://_nTElŭiOS"UIWebViewŮ.%https://ssl.gstatic.comŭAndroid�ÚŊŮ4ŏª�• eval()ţô-9pj9pJAk_T4ĪĒ�

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

• CSS�JavaScript#®�>kIp","4ŏª�• eval()ţô�9pj9pJAk_T,ŏª�

22

iOS Application Transport Security (ATS)

iOS Application Transport Security (ATS)

iOS"æ�L@gkR8¾ę�ÏĆħ!ŎË�ÚŪ¤�21yË�ATS�Ā¢"À­HTTPś�#ŏª�2��TLS 1.2�s�ÚŪ�Cordova�#<access>ŊĶ,� #<allow-navigation>ŊĶ4çË�1��ATSŎË4ōŚ�1Info.plist]69l�sý��2�ŎË�ŝģ�21�

iOS 10�Ť"çË!ÎÛ�1�+�tō".�!<access>ŊĶ�åÕ�2��

XPToqAś�!Î�1L@gkR8fSl

<access origin='*' allows-arbitrary-loads-in-media='true' allows-arbitrary-loads-in-web-content='true' allows-local-networking='true' />

allows-arbitrary-loads-in-media• true"À­�AV Foundation Frameworkĸĥ�Œ)ř*eS87!Î��éĺ�ť�ŌŦ�21�

allows-arbitrary-loads-in-web-content• true"À­�WebView/Ń321kA<JT!Î��éĺ�ť�ŌŦ�21�

allows-local-networking• true"À­�nq?lXPToqA!�1kMqJ!Î��éĺ�ť�ŌŦ�21�

23

WebView"ŁÔÝ

24

WebView"ŁÔÝ

ł£7P_SqT�Ń321iOS�Ĕ'�apOq"ÎÛ!�Æ�1Android�#HJRdEpcqXpT��1WebView�7P_SqT�2 �·ū��1�����Android 5/#�WebView�OS��0Ũ�2�Google Play Store4ś��ł£ħ!7P_SqT�21.�! ���

WebView"ŁÔÝ

iOS.%Android OS"ZqIip�H;7ŭ¬ĩWebF9T.0Ů

iPhone/iPad�#ĔŗħJdqK!w�{��Ŝ*�Android�#Ĵ¥ô�ZqIip4�t�

WebView!ŁÔÝ4æ�Android 4.3��"H;7#�Ĝ���Ŭ�ŭ20%Ů�

25

WebView"ŁÔÝ&"ÎÛ

Chromium4WebView����ģ��1.�!��FqU[qR8ňj9^jk��1

Crosswalk<pIp47_k!ķ)ř*���� Android 4�Ť�^j:G<pIp4þö!

�����ªĿ�

WebView"ŁÔÝ

26

Cordova/_jB9p"ŁÔÝ

27

Cordova!ţ�1ŁÔÝ"¿²

CVE-2015-5208 Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link.

CVE-2015-5207Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods.

CVE-2015-5204 CRLF injection vulnerability in the Apache Cordova File Transfer Plugin (cordova-plugin-file-transfer) for Android before 1.3.0 allows remote attackers to inject arbitrary headers via CRLF sequences in the filename of an uploaded file.

CVE-2015-8320 Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value.

CVE-2015-5256 Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI.

Cordova/_jB9p"ŁÔÝ

28

Google Play Store�"ÎÛ

ŁÔÝ"�1Cordova�ģ�/2��1À­�Google Play Store!��Ţ�Ē�Ń321�

Google Play Store�"őùōzhttps://support.google.com/faqs/answer/6325474?hl=ja

ğ»#Cordova Android 4.1.1����/2�[PCqI#7P_nqUuª�

Cordova"ŁÔÝ�Ħġ�1�}×,ÎÛ�ÚŊ! 1�epRVpJ��4õ�� ÚŊ��1�

Cordova/_jB9p"ŁÔÝ

29

kZqJ<pIW7kpB

Y9^kPU7_k"7LPT]69lŭHTML/JavaScriptİŮ#X9R8^EqU!Ep[9l�2��MqJEqU"Ğà�ĭă�!Čĵ�21�ěģ ōŚ4�Ŧ�1�+�EepT"�Ŧ-ũŒ¤ŭþŝ¤Ů4Ì÷�1���ā(���

.0Ŝ5�Îı���#�\lUú!ü«¤4Ń�ÌŃú!Ù«�1�FqU[qR8ň"ü«¤_jB9p4�ģ�1�Ù«!��@q#�kfqTFqZqİ"É� Àâ/©0��ÚŊ��1�

Cordova/_jB9p"ŁÔÝ

Monaca!�ì��217LPTü«¤_jB9phttps://ja.monaca.io/enterprise.html

30

uŊ _jB9p"Ŧ¦

Cordova°�7_kRp_mqT" ��Cordova Core Plugins�³$21¾Ą_jB9p

4�'�®č���1�Ìŧ!#�ģ��� �EqU�±(2��(��ŁÔÝ"ĘÒ!

1ªĿÝ��1�

Cordova/_jB9p"ŁÔÝ

Mohamed Shehab et. al, Reducing Attack Surface on Cordova-Based Hybrid Mobile Apps, MobileDeLi 2014

PhoneGap"WebF9T!ëŘ�2���622

�"7_k!Î��"œĊŭ2014ÑŮ�#�

_jB9p"ķ)ř)�Ìŧ"�ģ!Ã�

Ţ��ŋ/2��1�

31

L@g7EqS8pB

32

EqS9pB"çš

Cordova7_k"Ã¥#SPA¼��0�fZ9lWebF9T�Ĕ'�,JavaScript":;9T

�Ŭ��L@g7EqS8pBÎı���#HTML5°�"_jAR8J4ŝģ��1�

• hqGq� SqN"ZkSqHip

• ŝ� <JCq_�Ġ

• JavaScript9pI;AHip"¸ş

• API@q"ŝ� IJĠ

L@g7EqS8pB

33

<JCq_�Ġ

EpR@JT!Û��<JCq_�Ġ�ÚŊ��1��ŝ� ōŚ4Ń�"#¹ũ�

SPA]mqdoqA-Rp_mqT<pIp"èģ�ā(���

L@g7EqS8pB

<div onmouseover="${data1}">${data2}</div><a href="${data3}">link</a><iframe srcdoc="${data4}"></iframe>

Nishimura Muneaki et al, Y9^kPU7_kCqHip"ŁÔÝ!ţ�1�Ĉ 2015

tō"��#�'�"Áô!�"<JCq_�Ġ�ÚŊ

Z9pS8pB4FcqT�1]mqdoqA

-j9^jk

2-Way Binding4æ�,"• Angular 1• Angular 2

1-Way Binding4æ�,"• React

Rp_mqT<pIp• Handlebars• Mustache

<JCq_�Ġ4ł��Ìņ�1"#¹ũ��1�+�

]mqdoqA4èģ�1���ā(���

34

§ļÞ¿�U@gepTİ

• CordovaU@gepT– Security Guide– Whitelist Guide

• OWASP HTML5 Security Cheat Sheet

• Y9^kPU7_kCqHip"ŁÔÝ!ţ�1�Ĉ–ʼnąÊû et al, Į14¸Þ¿īÇãń]=qjdŭ2014Ů

35

�0������(��

·�­3��Ű

7H7lċÓ�ĩĤxēŇmasahiro@asial.co.jp