cordova-plugin-antitampering icon indicating copy to clipboard operation
cordova-plugin-antitampering copied to clipboard

Published 20 hours ago verified publisher icon duddu

How to integrity all of static files?

Open WuglyakBolgoink opened this issue 6 years ago • 4 comments

Hallo @duddu!

In last pentest feedback we got finding with title "not enough integrity" again :). Because plugin check only ASSETS-folder. Is it possible to do this check for all files? Or I didn't understand the workflow of this plugin?

My www-folder looks like this: image

WuglyakBolgoink avatar May 02 '18 18:05 WuglyakBolgoink

Update:

"assets"-folder was not enough. Because bad guy can change resources from res folder and add some options...

As a solution, we can implement something like this:

public boolean checkIntegrity(Context mContext){
            PackageManager pm = mContext.getPackageManager();
            try{
                PackageInfo appInfo = pm.getPackageInfo(mContext.getPackageName(), PackageManager.GET_SIGNATURE);
                String sig = appInfo.signatures[0].toCharString();
                
                // hier should be checked Signature
            }
            catch(Exception e){}
}

Memo:

  • OWASP Top Ten Mobile: M8 - Code Tampering
  • MASVS-1.0-Anforderung: 8.3

WuglyakBolgoink avatar May 02 '18 18:05 WuglyakBolgoink

Hi @WuglyakBolgoink do you have a solution for this?

ederEnriquez avatar May 15 '18 00:05 ederEnriquez

Can you support me? how can I do that implementation, I have a project with which it is required that they are not modified neither assets nor res, thank you in advance

AntonioHervert avatar May 15 '18 00:05 AntonioHervert

Hallo guys! can anyone with android/iOS skills help us?

WuglyakBolgoink avatar Jul 10 '18 12:07 WuglyakBolgoink