Cordova security: Possible to modify HTML/JS files of deployed application?

We're building an iOS and Android Cordova application in a security sensitive context.

While we're already using a number of techniques to secure our application (for example the Secure Storage Plugin, SSL Pinning and others), there is one question we couldn't find clear answers to so far:

Is it possible for an attacker (maybe using malicious software, especially on Android) to modify the source files (HTML, JS, maybe even the more native parts) that are being executed after the application has been download and installed by the user using proper channels (Android and iOS App store)?

So far there are two major attack scenarios we can think of:

Scenario #1:

  • Attacker can read source code
  • Attacker can read content of local storage
  • Attacker CAN'T read content of encrypted storage
  • Attacker CAN'T modify executed code

Scenario #2:

  • Attacker can modify code that gets executed (and therefore override and intercept all communication between the application and the encrypted storage)

While our current measures can protect us against scenario #1 attacks, we would like to know if scenario #2 attacks are possible (maybe only on rooted Android devices?) and how to protect against them in Cordova. Many thanks!

Note: This question is NOT about an attacker being able to read the source files of our application. While we know that we can protect ourselves against this using different forms of obfuscation, we also know that we de-obfuscation is almost always possible and don't care about this much.


I found this on the Cordova Guide

'Do not assume that your source code is secure

Since a Cordova application is built from HTML and JavaScript assets that get packaged in a native container, you should not consider your code to be secure. It is possible to reverse engineer a Cordova application.'

Need Your Help

How to push changes from Git repository to Subversion

git git-svn

I am trying to learn how to use GIT with SVN repository (I know SVN, but total newbie in GIT).

Rails/Passenger/Apache: Simple one-off URL redirect to catch stale DNS after server move

ruby-on-rails redirect migration dns move

One of my rails apps (using passenger and apache) is changing server hosts. I've got the app running on both servers (the new one in testing) and the DNS TTL to 5 minutes. I've been told (and exper...