Security Notes and Additional Information About Security and TFWP

Why you should always use a Network Security Config:

• Application Sandboxes are great but there are always aspects to a Sandbox that make it, by design and fact, not actually a Sandbox. For example, Android applications can send intents to other applications on your phone. These intents streamline the process through which you integrate with another phone application's capability. It has been compromised in the past (Exhibit A and Exhibit B with proof of concept available here). We shouldn't just assume intents are inherently insecure but it does suggest we should be cognizant of the words we use to describe things like Sandboxes, especially where human error and development is involved. This is also true for permissions and trackers. If you give an app a ton of permissions and it utilizes a massive amount of embedded trackers, it becomes theoretically possible to send information collected back to "home" servers, rendering the security of an application Sandbox moot. This problematic is extremely true for network security on your Android device. By default, your applications rely on your phone for root certificate authorities to securely access, among many others, websites. If this root keystore of certificates is compromised, every application on your device, regardless of Sandbox, is susceptible to being rerouted to malicious servers. While this is highly unlikely, there are other reasons to use a network security config for your Android applications. There are many reasons why the Android application Network Security Configuration is important. With this config, you can pin certificates to your application, bypassing the Android certificate ecosystem, utilizing the ones you set for the domains you specify, instead. For more information on this process, beyond what our brief but concise guide already gives you, please see the following documentation straight from the Android Studio developers here. Furthermore, here are some general security tips.

Why you should disable javascript (not to be confused with java) on WebView:

• Sometimes it seems like javascript is the original sin of web development. There have been security vulnerabilities in javascript since its creation with little change in its security "strength" over time (Exhibit A and Exhibit B). Javascript is enabled by default on all TFWP applications because a lot of developers find it difficult to make cool apps and websites without it. This is a trade-off you should be aware of for all your browsing-based services, as they are all vulnerable to a wide-range of web-based attacks, including, but not limited to, XSS and CSRF attacks. Here is an article that gives a good breakdown on why you should disable javascript and develop Android applications with this in mind, including WebView. The biggest problem, and the reason javascript is enabled as the baseline on all TFWP applications, is relatively simple: every major or minor developer enables javascript on their platforms. This happens to such an extent that major companies add code to suppress warnings from integrated development environment's (IDE) that tell them javascript is not secure (including Android Studio). Unfortunately, this is a development ecosystem and not a developer problem. It has been a problem for far longer than people would like to admit. If you are giving TFWP flak for enabling it by default, you are putting the wrong emphasis on the wrong syllable, especially considering major corporations (and 95% of 1.6 billion websites) have not stopped using it (Exhibit C and Exhibit D) even while they virtue-signal their security conscientiousness.

These notes are designed in full disclosure to increase adoption of good Android coding practices while being cognizant of the fact that, unless the world changes over night, some good practices cannot be implemented fully without pragmatism. TFWP is nothing if not practical. Our attempts to establish good coding practices straddle the line between what we want and what we can achieve successfully.