Created
December 27, 2012 11:47
-
-
Save ioleksiy/4387663 to your computer and use it in GitHub Desktop.
Cordova (PhoneGap) iOS Security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - (NSString *)toMD5:(NSString *)data { | |
| const char *cstr = [data UTF8String]; | |
| unsigned char result[16]; | |
| CC_MD5(cstr, strlen(cstr), result); | |
| return [NSString stringWithFormat: | |
| @"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", | |
| result[0], result[1], result[2], result[3], | |
| result[4], result[5], result[6], result[7], | |
| result[8], result[9], result[10], result[11], | |
| result[12], result[13], result[14], result[15] | |
| ]; | |
| } | |
| - (NSString *) readIndex | |
| { | |
| NSString* password = @"ffffffffffffffffffffffff"; | |
| NSMutableString* k = [NSMutableString string]; | |
| [k appendString:password]; | |
| [k appendString:[self toMD5:password]]; | |
| const char* key = [[self toMD5:password] UTF8String]; | |
| const char* iv = [[[self toMD5:k] substringToIndex:16] UTF8String]; | |
| NSStringEncoding encoding = NSUTF8StringEncoding; | |
| NSError* error; | |
| NSString *indexPath1 = [[NSBundle mainBundle] pathForResource:@"www/index" ofType:@"html"]; | |
| NSString *base64String = [NSString stringWithContentsOfFile:indexPath1 usedEncoding:&encoding error:&error]; | |
| NSData *d = [NSData dataFromBase64String:base64String]; | |
| size_t bytesMoved = 0; | |
| NSUInteger dataLength = [d length]; | |
| size_t bufferSize = dataLength + kCCBlockSizeAES128; | |
| void *buffer_decrypt = malloc(bufferSize); | |
| CCCryptorStatus result = CCCrypt(kCCDecrypt , kCCAlgorithmAES128, kCCOptionPKCS7Padding, | |
| key, kCCKeySizeAES256, iv, | |
| [d bytes], [d length], | |
| buffer_decrypt, bufferSize, &bytesMoved ); | |
| NSString *html; | |
| if (result == kCCSuccess) { | |
| NSMutableData *output_decrypt = [NSMutableData dataWithBytesNoCopy:buffer_decrypt length:bytesMoved]; | |
| html = [[NSString alloc] initWithData:output_decrypt encoding:NSUTF8StringEncoding]; | |
| } | |
| return html; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NSString *html = [self readIndex]; | |
| if (html != nil && [html length] > 0) { | |
| [self.webView loadHTMLString:html baseURL:appURL]; | |
| } else { | |
| NSURLRequest* appReq = [NSURLRequest requestWithURL:appURL cachePolicy:NSURLRequestUseProtocolCachePolicy timeoutInterval:20.0]; | |
| [self.webView loadRequest:appReq]; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This gist has a number of serious cryptographic errors.
Although this article is for android, it might give you a sense for other potential mistakes.
Maybe none of this matters because you're actually just obfuscating, not encrypting, but in case anyone else comes along and finds this, it would be good to indicate the problems with it. FYI, since you're just obfuscating, you could use aes128 instead of 256 which would be faster and no less secure.