CSRF in Mobile Applications

前端 未结 2 1796
误落风尘
误落风尘 2021-02-03 23:16

The Situation:

Alice uses an online banking website which stores a cookie of her credentials.

Before the cookie expires, Eve sends Alice a malic

2条回答
  •  梦谈多话
    2021-02-03 23:39

    Will a cookie on Alice's mobile device from a native (or hybrid) application be vulnerable to manipulation, or are these cookies typically sand boxed on the device somehow?

    A CSRF attack involves one application: the browser. Your proposed attack involves two separate applications: the banking app and the browser.

    Generally speaking, separate applications are separate. Safari does not share data with Firefox, even if both are installed on the same OS X machine. Now, there could be bugs in one or the other that might allow JS to have unfettered access to the OS filesystem and therefore allow a web site in Safari to access Firefox's data (or vice versa), but this is not really related to a CSRF.

    The same thing holds for any separate applications, on any modern OS.

    Even something such as creating a cookie in JavaScript and then using PhoneGap or Titanium could be relevant I believe.

    Not really, any more than Safari having cookies and Firefox having cookies are somehow tied.

    it is in fact possible to CSRF an application

    You are welcome to provide evidence of your claims, or provide your personal definition of CSRF that would encompass scenarios like Safari attacking Firefox.

    As an example, Shared Preferences in Android are sand boxed to prevent other applications from accessing the values.

    Correct. This has little to do with CSRF.

    In the case of Android, it does seem that how you create and store the cookies does matter in the attack and it can have vulnerabilities.

    Again, you are welcome to provide evidence of your claims, or provide your personal definition of CSRF that would encompass scenarios like Safari attacking Firefox.

    although physical access to the device leads to a security concern

    Having teleporter technology, that would allow a CSRF to cause a mobile device to physically change its location and therefore have an impact on physical access, has yet to be developed.

提交回复
热议问题