Is Javascript on a mobile browser more secure than Javascript on other types of systems? For instance, if I have a site that includes some client-side (Javascript) encryption code, with the intention that it only runs inside a Safari browser on the iPhone (standalone or embedded in an app) or Chrome on an Android device, what are some possible vulnerabilities? Is client-side Javascript encryption as terrible an idea in the mobile space as the desktop space?
Caveats:
- Making an app isn't an option. This question is specifically about the security of the mobile browser environment. I do realize that the built-in APIs would be a far better idea.
- Assume that the server hosting the code remains secure, or that the person is running the code locally/offline.
Here's what I've thought of so far:
- Hijacking of the actual transmission (solvable via HTTPS, except MITM)
- Same-origin (solvable via hosting on a dedicated subdomain)
All other attacks (e.g. exploiting a flaw in the iPhone browser) would seem to involve one of these two. Given the general negative attitude toward Javascript-based encryption, I must be missing something. What am I missing?
view source
, you can debug a webpage in the Mobile Safari with the 'remote' option of the inspector.