You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by Dan Field <df...@gmail.com> on 2018/01/06 19:21:38 UTC
cordova-plugin-file-transfer
The Android version of this plugin makes calls to file.delete on abort()
and on a failed/partial download().
Any thoughts on updating this logic to first write garbage to the file
before deleting it to make recovery of sensitive data more difficult? I'm
getting complaints from my security team that file.delete could potentially
leave data recoverable, even if it's fairly unlikely.
Dan Field
Re: cordova-plugin-file-transfer
Posted by Dan Field <df...@gmail.com>.
Well, actually, I'm becoming less convinced that overwriting the file would
really improve security - the OS could end up writing the new data to a
different location on the card, leaving the partially downloaded data
anyway.
Unless anyone has a better idea, I'm probably going to have to go back to
my security team and just tell them we're not storing anything worth
worrying about this much anyway...
On Sat, Jan 6, 2018 at 7:31 PM, Dan Field <df...@gmail.com> wrote:
> So I'm happy to do the implementation/create the issue/ do the PR.
>
> As much as I'd like to transition to using XHR, that causes some other
> issues internally for the project I'm workining on - the most pressing one
> currently is that we're required to support some older platforms that don't
> work with arraybuffer/blob requests. I agree it's a better solution, but
> it's not an option for me right now.
>
> I have seen recent activity on file-transfer, so hopefully this won't be
> impossible to get through.
>
> On Sat, Jan 6, 2018 at 4:47 PM, julio cesar sanchez <
> jcesarmobile@gmail.com> wrote:
>
>> Also, file-transfer plugin has been deprecated, so is less likely to get
>> that change applied. Read more about the deprecating and the recommended
>> transition at
>> https://cordova.apache.org/blog/2017/10/18/from-filetransfer-to-xhr2.html
>> .
>>
>>
>> 2018-01-06 21:48 GMT+01:00 Simon MacDonald <si...@gmail.com>:
>>
>> > Probably best to create an issue in JIRA and we love PR's.
>> >
>> >
>> > Simon Mac Donald
>> > http://simonmacdonald.com
>> >
>> > On Sat, Jan 6, 2018 at 2:21 PM, Dan Field <df...@gmail.com> wrote:
>> >
>> > > The Android version of this plugin makes calls to file.delete on
>> abort()
>> > > and on a failed/partial download().
>> > >
>> > > Any thoughts on updating this logic to first write garbage to the file
>> > > before deleting it to make recovery of sensitive data more difficult?
>> > I'm
>> > > getting complaints from my security team that file.delete could
>> > potentially
>> > > leave data recoverable, even if it's fairly unlikely.
>> > >
>> > > Dan Field
>> > >
>> >
>>
>
>
Re: cordova-plugin-file-transfer
Posted by Dan Field <df...@gmail.com>.
So I'm happy to do the implementation/create the issue/ do the PR.
As much as I'd like to transition to using XHR, that causes some other
issues internally for the project I'm workining on - the most pressing one
currently is that we're required to support some older platforms that don't
work with arraybuffer/blob requests. I agree it's a better solution, but
it's not an option for me right now.
I have seen recent activity on file-transfer, so hopefully this won't be
impossible to get through.
On Sat, Jan 6, 2018 at 4:47 PM, julio cesar sanchez <jc...@gmail.com>
wrote:
> Also, file-transfer plugin has been deprecated, so is less likely to get
> that change applied. Read more about the deprecating and the recommended
> transition at
> https://cordova.apache.org/blog/2017/10/18/from-filetransfer-to-xhr2.html.
>
>
> 2018-01-06 21:48 GMT+01:00 Simon MacDonald <si...@gmail.com>:
>
> > Probably best to create an issue in JIRA and we love PR's.
> >
> >
> > Simon Mac Donald
> > http://simonmacdonald.com
> >
> > On Sat, Jan 6, 2018 at 2:21 PM, Dan Field <df...@gmail.com> wrote:
> >
> > > The Android version of this plugin makes calls to file.delete on
> abort()
> > > and on a failed/partial download().
> > >
> > > Any thoughts on updating this logic to first write garbage to the file
> > > before deleting it to make recovery of sensitive data more difficult?
> > I'm
> > > getting complaints from my security team that file.delete could
> > potentially
> > > leave data recoverable, even if it's fairly unlikely.
> > >
> > > Dan Field
> > >
> >
>
Re: cordova-plugin-file-transfer
Posted by julio cesar sanchez <jc...@gmail.com>.
Also, file-transfer plugin has been deprecated, so is less likely to get
that change applied. Read more about the deprecating and the recommended
transition at
https://cordova.apache.org/blog/2017/10/18/from-filetransfer-to-xhr2.html.
2018-01-06 21:48 GMT+01:00 Simon MacDonald <si...@gmail.com>:
> Probably best to create an issue in JIRA and we love PR's.
>
>
> Simon Mac Donald
> http://simonmacdonald.com
>
> On Sat, Jan 6, 2018 at 2:21 PM, Dan Field <df...@gmail.com> wrote:
>
> > The Android version of this plugin makes calls to file.delete on abort()
> > and on a failed/partial download().
> >
> > Any thoughts on updating this logic to first write garbage to the file
> > before deleting it to make recovery of sensitive data more difficult?
> I'm
> > getting complaints from my security team that file.delete could
> potentially
> > leave data recoverable, even if it's fairly unlikely.
> >
> > Dan Field
> >
>
Re: cordova-plugin-file-transfer
Posted by Simon MacDonald <si...@gmail.com>.
Probably best to create an issue in JIRA and we love PR's.
Simon Mac Donald
http://simonmacdonald.com
On Sat, Jan 6, 2018 at 2:21 PM, Dan Field <df...@gmail.com> wrote:
> The Android version of this plugin makes calls to file.delete on abort()
> and on a failed/partial download().
>
> Any thoughts on updating this logic to first write garbage to the file
> before deleting it to make recovery of sensitive data more difficult? I'm
> getting complaints from my security team that file.delete could potentially
> leave data recoverable, even if it's fairly unlikely.
>
> Dan Field
>