Authenticate HTML5 application wrapped with Phonegap (or equivalent)

Is there a way, using JavaScript only (client side), to ensure that an HTTP request is actually coming from my Phonegap application?
Be aware: I'm not talking about authenticating the user, rather, in a sense, about authenticating the app itself. There isn't (and mustn't be) any kind of user interaction related to this.
Not even talking about confidentiality of the communication (I'm not using HTTPS and the payload is not encrypted).

My guess is, in the end, this inevitably requires some sort of hard-coded key.
The problem is, as you can see for example here, such a key would be usually accessible by almost anyone - and this problem comes up not only with Javascript assets, but also with Java in Android.

If no way with Phonegap or any Cordova plugin, could you suggest an equivalent framework (or environment like Icenium) that could make this thing possible?
Or, at last, would there be any real risk in not taking this precaution for the aforesaid scenario?

EDIT: Kurt Du Bois reminded me I did not mention SSL client authentication. Be it applicable/convenient or not, it always ends up to the problem of keeping a private key secret. I find this is well described here, and summed up in the sentence: "the assurance that the key hasn't been exported is only as strong as the key store itself".

Answers:

Answer

An application is a piece of software, not a tangible object. The only way to authenticate it is if that piece of software contains a secret of some kind. From the server, to authenticate a client, you request that the client demonstrate that it knows the secret.

If you allow anyone to download your application, then whatever data it contains is not secret. So you cannot authenticate your application.

What you can do is make the secret harder to extract, with obfuscation techniques. Obfuscation done right is very hard — adding man-months to your development effort if they're to have any benefit. If you can still use a debugger, you're doing it wrong. Obfuscation done wrong means wasted effort. Obfuscated effort means adding days or weeks of work for someone to extract the secret. You need to ask yourself whether it's really worth it. Fundamentally, obfuscation is hiding the key under the doormat. Or behind the flowerpot if you're feeling fancy.

See also some similar questions on Security Stack Exchange: How to store a private RSA key for an application?; Storing private asymmetric key in application binary?

Answer

To do this, you need to start with a good definition of what it means to be running your application. It turns out this is nontrivial, but I'm not going to bore everyone with a discussion of it.

If running your application means engaging in some process with equivalent behaviour to what you intend (the black-box definition), you can partially solve this problem by "shadowing" computation done on the client (either intermittently or constantly) and checking the results, given the same inputs. Do not even think about doing that for cryptography, but it works rather well for things like games where you can periodically audit the client's behaviour given the user input.

You can also introduce odd behaviours into an application (such as creating an invisible sprite in a game which, if targeted for interaction by the client, indicates a modified client).

A lot of work has been done on this type of thing in the game anti-cheat world, not all of which involves checking the environment.

Answer

What about working on a higher level: public/private key communication. That way you can have an SSL encrypted connection and never have to do the necessary authentication.

Possible drawback of this way of working is that you have to generate a new key when your phone gets stolen or when you buy a new one.

Answer

I don't know, how to do this, But I have some idea and just share with you. HTMl DOM is converted by Web IDL while running on the web browser.

Try to html5 file to WEb IDL and try to find encrypt way. because I also search this by long time. I cann't the way. The online validator for WEB IDL is http://www.w3.org/2009/07/webidl-check

I don't know this possible or not, Let we try, if I found any solution regard this ,let you know.

Answer

The stringent requirements of Security are very common in many business vertical. I found that the android application is vulnerable to threats if proper guidelines are not followed. To ensure the reliable security mechanism with complete control over the security I had done following in my project.

To go about securing my application in HTML5 paradigm. I had done following.

  1. Coded the html and javascripts in separate files. We ensured that html code would not have embedded javascript. (At least would not have sensitive java script)

  2. Wrote a external java program to encrypt all the javascript files with complex key. (I used SHA2 algorithm). In the Release to production the encrypted javascripts are included in Asset folder.

  3. Created a JNI based program to store the key in a variable and provided method to retrieve this key.

  4. Wrote convenient method in Native Android to do following

    • Open Html file.
    • Read Html file in htmlBuffer.
    • Find Script tags.
    • Read javascript file specified in script tag in javaScriptBuffers[].
    • Get the complex key from .so using JNI. (Refer to step 3)
    • Decrypt all encrypted javascripts in javaScriptBuffers[]. Check if particular javascript is encrypted or not before decrypting it.
    • Replace Script tags with actual javascript from javaScriptBuffers[] in htmlBuffer.
    • load the html file in web view.

The coding standards were followed strictly.

The security can be further tighten by encrypted HTMLs also and then shifting decryption mechanism in JNI.

My application has passed the stringent security assessment with above method.

In short, I did not rely on any framework but developed a small framework by myself on which I have 100% control. It did not took long once the design was understood properly and the developers were trained in couple of sessions.

The android team and IOS team worked in parallel to make sure that the Native part of coding is taken care for both platforms. On IOS, we did not needed to used encryption and decryption to pass the Security compliance test of the client.

The development of first application took little longer, but once the framework in place, the next applications were just to code html and javascript and follow the correct release process before production.

Tags

Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us Javascript

©2020 All rights reserved.