Security Alert for cordova-plugin-ionic-webview

Original post here: https://goo.gl/hVvtij

The Ionic team has released an important security update to cordova-plugin-ionic-webviewto address a flaw in the embedded webserver used in previous versions of the plugin that could allow a specially-crafted application to access the webserver from another app.

To ensure your applications are free from any potential vulnerability, please update cordova-plugin-ionic-webview to one of the following versions:

  • v3.0.0 if you no longer need to support iOS 10.
  • v2.3.1 if you need to continue supporting iOS 10.

To update, see the instructions at the bottom of this post.

More information

This security patch resolves an issue in the embedded webserver used in previous versions that could allow specially-crafted applications to access the web server from other apps in rare cases.

While this issue raises security concerns, Ionic has not seen any reports of a credible exploit and our engineers have confirmed no data was ever at risk as app state, local storage, and all other data remains sandboxed by the OS.

Exploiting the issue would be very challenging in the wild.

Nonetheless, out of an abundance of caution Ionic recommends all users update to one of the above versions as early as possible.

Which version is right for you?

Version 3.x is our long-term recommended version and removes the internal webserver used in previous versions, along with dropping support for iOS 10 due to new APIs that are only available in iOS 11 and above.

v2.3.1 maintains iOS 10 support, and allows for deactivation of the internal web server on iOS 11+

As of January 1st 2019 only 8% of iOS devices use iOS 10 or lower. If iOS 10 support is required v2.3.1 or greater can be used.

Additionally, if using 2.3.1, we strongly recommend disabling the webserver on ios 11+ and configuring a new port (instead of 8080) for your app to run on by setting the following preferences in config.xml:

<preference name="UseScheme" value="true" />
<preference name="WKPort" value="9634" />

Most configurations will also need to whitelist the selected port.

<allow-navigation href="http://localhost:9634/*" />

What platform(s) are affected?

iOS: Low Risk

Android: No Risk

Android applications are unaffected by this vulnerability.

Is my application at risk?

The vulnerability may be present in your application if any of the following are true:

  • You are using cordova-plugin-ionic-webview v2.1.4 or lower
  • You are using cordova-plugin-ionic-webview v2.3.1 or lower with the default port.

Verify plugin versioning:

Download and extract your release app from the App/Play store. The specific version of every installed plugin is available in cordova_plugins.js

  • iOS: located at Payload/<app name>.app/www/cordova_plugins.js
  • Android: located at assets/www/cordova_plugins.js

Example:

// TOP OF METADATA
{
"cordova-plugin-whitelist": "1.3.3",
"cordova-plugin-statusbar": "2.4.2",
"cordova-plugin-device": "2.0.2",
"cordova-plugin-splashscreen": "5.0.2",
"cordova-plugin-ionic-keyboard": "2.1.3",
"cordova-plugin-ionic-webview": "2.3.1",
"cordova-plugin-file": "6.0.1",
"cordova-plugin-file-transfer": "1.7.1",
"cordova-plugin-ionic": "5.2.7"
};
// BOTTOM OF METADATA

What can I do?

Update to v3.0.0 (Recommended)

iOS 11+ support only

v3.0.0 docs

cordova plugin rm cordova-plugin-ionic-webview
cordova plugin add cordova-plugin-ionic-webview@latest

Update to v2.3.1

iOS 10+ support

v2.3.1 docs

cordova plugin rm cordova-plugin-ionic-webview
cordova plugin add cordova-plugin-ionic-webview@2.3.1 --save-exact

To ensure your applications are free from any potential vulnerability you must take the following steps.

  • Set an alternate port as described here
  • Disable the webserver for iOS 11+ as described here

Please Note: A new native build and submission to the App/Play Store is required to update the plugin.

Ionic Appflow Deploy users: After updating cordova-plugin-ionic-webview it is also necessary to update cordova-plugin-ionic.

cordova plugin add cordova-plugin-ionic@latest --save \
--variable APP_ID="<your appflow id>" \
--variable CHANNEL_NAME="<your channel>" \
--variable UPDATE_METHOD="<your update method>"

Deploy API users must ensure that only v5 methods are used in their update logic. The legacy Deploy API is not supported in cordova-plugin-ionic v5.0.0 and higher. Details on all API methods are available in the plugin docs.