3

We are developping a mobile application (m.website.com).

Is there a way to prevent a rogue developper to build an IOS / Android native app that simply encapsulate our website into the app using Webkit to perform UI Redress attacks or clickjacking ?

(We know that the HTTP header "X-Frame-Options: Sameorigin" is effective in the scenario of a malicious website that encapsulate (frame) another website, but how to prevent encapsulation by a native mobile app ?)

MGagnon
  • 33
  • 2
  • 2
    A mobile browser is a mobile app that you want to be accessing your site. So, I'm not sure that you can prevent apps that have a browser function from accessing your site. If this is something you are worried about, you would need to create an app, not a web page. – schroeder Dec 08 '15 at 15:31

2 Answers2

3

A user cannot trust a web page that is inside an app that they don't trust.

Therefore, if there was a UI redress attack against your website when using a particular app, then this would be the user's fault for trusting the application.

Furthermore, if an application developer wanted users to click something on your site using the phone, then they would simply code this into their application. They would not need the user to do it. Browsers within applications use a different set of cookies than the phone browser, so this would not affect any of the user's existing sessions. They would have had to log onto your site in the application's browser window, and at that point a rogue application could simply have harvested the credentials anyway.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
0

Correct, setting X-Frame-Options is a good idea but you are trusting the browser to enforce it. You can't defend against an untrusted browser.

What you are left with is policing the app stores for apps pretending to be you.

Mark Koek
  • 1,311
  • 1
  • 8
  • 16