johnno1962
Security Questions
Hi, we're looking at using this plugin widely at the large tech company, but we want to make sure that the security is very solid before we do so. It seems to be opening up a port between the device (simulator or real) and the computer, and sending arbitrary code across for the device to run. What if we were to encrypt communication between the computer and device and for each to have a shared secret that they communicate with each other to before sending code? Or we could use IP whitelisting for each user's test phones. Measures like these, I imagine would make larger companies like ours more willing to use these sorts of tools. For us personally, to start, we'll be creating a version of this plugin that only accepts local connections so that it works for the simulator.
Hi Michael, no warrantees but there are a number of reasons why security is less of a problem when using injection.
- Injection should only ever be used in DEBUG builds.
- With iOS10 it is no longer possible execute arbitrary code on the device (so injection now only works in the simulator)
- The port is opened to accept() at the Xcode end and the application connects to it to consent to updates which in the simulator are communicated through the filesystem.
- There is a beta version of injection as an App I am trying to move users onto that only allows localhost connections (http://johnholdsworth.com/injection.html)
Give "injection as an app" a try and let me know how you get on. It has almost the same functionality without having to tangle with plugins.
the app is working well! so you're saying that the app will always block external connections?
The app’s socket is only bound to localhost. It’s not open source at the moment being largely an integration of my previous work but if you email injectionapp at johnholdsworth.com I can send you a zip file for review.
App has been open sourced and Licenses are all MIT now https://github.com/johnno1962/InjectionApp