Security improvement - enable sandboxed javascript injection

Description
We got a report from a security scan of our mobile application using the Zoom iOS SDK about a potential security issue when the SDK load javascript content into WKWebView.

Security report details

image833×338 27.3 KB

image833×558 121 KB

Recommendation

image798×637 83 KB

Code locations

image778×411 45.3 KB

image777×414 46 KB

image797×413 43.9 KB

image781×410 44.9 KB

Which iOS Meeting SDK version?
5.10.3

Questions / remarks

1. Are you collecting specific personal data through this mechanism that we have to know about ?
2. Is it possible to enable sandboxed context ? If not, please provide a reason (would it deteriorate / break some of the SDK functionalities, especially in term of monitoring?)

Regards.

Hi @nvivot, hope you’re well

For this I’m going to specifically check with our platform security team for what their guidance will be, we’ll get back to you shortly.

@nvivot, thank you for raising this issue. Consulting with our SDK engineering team, we believe our implementation can be changed to prevent the need for this web view. We are currently targeting an upcoming release to make this change. We have a scheduled deployment which means you might see a release that does not include this, but expect it subsequently.

To answer your questions,

1. No, this is not used to provide any user context or authorization services.
2. Yes. We expect you to be able to sandbox this and maintain SDK functionality.

Hi Michael,

Thank you very much for your feedback. Good news, we will definitely look forward for the upcoming releases for this change.

Good to know we can also sandbox anything if needed.

Regards.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.