Any security concerns with the HTTP server socket in Couchbase Lite + Phonegap?

[Traun Leyden]

A user asked me over email whether there were any security concerns with the HTTP server socket in Couchbase Lite when used with PhoneGap.

iOS

There should be zero concerns since it uses CBLURLProtocol, which avoids the networking stack completely.  

Android

It listens on a real listener socket, which pretty much anyone can connect to (even different devices on the network).  In order to prevent unwanted access, the following happens:

1. The PhoneGap app makes a special native call into Couchbase Lite which returns a pseudo randomly generated set of Basic Auth credentials.

2. The PhoneGap app must then pass these Basic Auth credentials to the Couchbase Lite REST API on every request.

3. Couchbase Lite will verify the Basic Auth credentials on every request and return 4XX errors if they don't match the expected values.

Potential security issues on Android:

- Traffic between the PhoneGap App and Couchbase Lite is only on localhost, and so wouldn't be sniffable via other devices.  However, an attacker might figure out a way to sniff the traffic using another app (I don't think this is actually possible, but can't rule it out completely).  If they were able to sniff the traffic, they could gain access to the Basic Auth credentials and therefore the Couchbase Lite database.  (FIX idea: use HTTPS?)