Downside Description:
Our group has encountered vital safety issues inside our Ionic software. These points are rooted in the usage of particular APIs by our Cordova plugins. We’re urgently looking for professional steering to successfully resolve these safety threats.
1. Basic Server Vulnerabilities:
In each our Android and iOS functions, the next APIs invoked by our Cordova plugins have raised vital alarm resulting from “Basic Server Vulnerabilities”:
For Android:
play.googleapis.com:443/c2dm/register3https://play.googleapis.com:443/c2dm/register3
For iOS:
apple-finance.question.yahoo.com:443/v1/yql/applewf/multiquoteiid.googleapis.com:443/iid/registerhttps://iid.googleapis.com:443/iid/register
Regardless of in depth efforts, we now have been unsuccessful to find a viable answer to mitigate these issues.
2. HTTP TRACE Technique is Enabled:
Moreover, our Cordova plugins have utilized the next APIs, resulting in the invention that the HTTP TRACE methodology is enabled, posing a considerable threat:
For Android:
https://clientservices.googleapis.com:443/chrome-variations/se osname=android_webview&milestone=88
For iOS:
https://api-glb-aaps1b.smoot.apple.com:443/searchhttps://app-measurement.com:443https://api.smoot.apple.com:443
We’re unsure concerning the acceptable steps to disable the HTTP TRACE methodology and successfully mitigate this vulnerability.
Plugins in Use:
Our Ionic software incorporates the next Cordova plugins:
// Record of plugins
“@awesome-cordova-plugins/android-permissions”: “^5.45.0”,
“@awesome-cordova-plugins/app-version”: “^5.45.0”,
“@awesome-cordova-plugins/digital camera”: “^5.45.0”,
“@awesome-cordova-plugins/chooser”: “^5.45.0”,
“@awesome-cordova-plugins/clipboard”: “^5.45.0”,
“@awesome-cordova-plugins/core”: “^5.45.0”,
“@awesome-cordova-plugins/dialogs”: “^5.45.0”,
“@awesome-cordova-plugins/fcm”: “^6.4.0”,
“@awesome-cordova-plugins/file”: “^5.45.0”,
“@awesome-cordova-plugins/file-opener”: “^5.45.0”,
“@awesome-cordova-plugins/file-path”: “^5.45.0”,
“@awesome-cordova-plugins/file-transfer”: “^5.45.0”,
“@awesome-cordova-plugins/image-picker”: “^6.4.0”,
“@awesome-cordova-plugins/keyboard”: “^5.45.0”,
“@awesome-cordova-plugins/local-notifications”: “^5.45.0”,
“@awesome-cordova-plugins/community”: “^5.44.0”,
“@awesome-cordova-plugins/streaming-media”: “^5.45.0”,
“@awesome-cordova-plugins/toast”: “^5.45.0”,
“@ionic-native/browser-tab”: “^5.36.0”,
“@ionic-native/core”: “^5.36.0”,
“@ionic-native/crop”: “^5.36.0”,
“@ionic-native/file”: “^5.36.0”,
“@ionic-native/file-picker”: “^5.36.0”,
“@ionic-native/http”: “^5.36.0”,
“@ionic-native/image-picker”: “^5.36.0”,
“@ionic-native/in-app-browser”: “^5.36.0”,
“@ionic-native/keyboard”: “^5.36.0”,
“@ionic/angular”: “^6.2.4”,
“@ionic/angular-server”: “^6.2.5”,
“@ionic/cordova-builders”: “^7.0.0”,
“@ionic/storage”: “^2.1.3”,
“@ngrx/results”: “^14.3.0”,
“@ngrx/retailer”: “^14.3.0”,
“ajv-keywords”: “^5.1.0”,
“autolinker”: “^4.0.0”,
“chart.js”: “^4.3.0”,
“cordova-browser”: “6.0.0”,
“cordova-plugin-androidx-adapter”: “^1.1.3”,
“cordova-plugin-iroot”: “^3.1.0”,
“cordova-plugin-telerik-imagepicker”: “^2.3.2”,
“crypto-js”: “^4.1.1”,
“dialog”: “^0.3.1”,
“domsanitizer”: “^0.2.3”,
“eslint-plugin-ngrx”: “^2.1.4”,
“ionic-5-gallery-modal”: “^0.2.25”,
“ionic-native”: “^2.9.0”,
“ionic-selectable”: “^4.9.0”,
“ionic4-star-rating”: “^1.1.1”,
“ios-sim”: “^9.0.0”,
“second”: “^2.29.4”,
“ng-circle-progress”: “^1.6.0”,
“ng2-charts”: “^4.1.1”,
“ngx-linky”: “^4.0.0”,
“rxjs”: “~6.6.0”,
Request for Help:
We earnestly search professional recommendation and group insights on the way to deal with these vital safety vulnerabilities. Whether or not it entails configuration adjustments, plugin updates, or some other vital measures, your steering is invaluable to us.
Your well timed help in resolving these points is deeply appreciated. Thanks upfront to your experience and help.