Cordova security: Possible to modify HTML/JS files of deployed application?
We're building an iOS and Android Cordova application in a security sensitive context.
While we're already using a number of techniques to secure our application (for example the Secure Storage Plugin, SSL Pinning and others), there is one question we couldn't find clear answers to so far:
Is it possible for an attacker (maybe using malicious software, especially on Android) to modify the source files (HTML, JS, maybe even the more native parts) that are being executed after the application has been download and installed by the user using proper channels (Android and iOS App store)?
So far there are two major attack scenarios we can think of:
- Attacker can read source code
- Attacker can read content of local storage
- Attacker CAN'T read content of encrypted storage
- Attacker CAN'T modify executed code
- Attacker can modify code that gets executed (and therefore override and intercept all communication between the application and the encrypted storage)
While our current measures can protect us against scenario #1 attacks, we would like to know if scenario #2 attacks are possible (maybe only on rooted Android devices?) and how to protect against them in Cordova. Many thanks!
Note: This question is NOT about an attacker being able to read the source files of our application. While we know that we can protect ourselves against this using different forms of obfuscation, we also know that we de-obfuscation is almost always possible and don't care about this much.
I found this on the Cordova Guide
'Do not assume that your source code is secure