Security improvement - enable sandboxed javascript injection

Description
We got a report from a security scan of our mobile application using the Zoom iOS SDK about a potential security issue when the SDK load javascript content into WKWebView.

Security report details

Recommendation

Code locations

Which iOS Meeting SDK version?
5.10.3

Questions / remarks

  1. Are you collecting specific personal data through this mechanism that we have to know about ?
  2. Is it possible to enable sandboxed context ? If not, please provide a reason (would it deteriorate / break some of the SDK functionalities, especially in term of monitoring?)

Regards.

Hi @nvivot, hope you’re well :slight_smile:

For this I’m going to specifically check with our platform security team for what their guidance will be, we’ll get back to you shortly.

@nvivot, thank you for raising this issue. Consulting with our SDK engineering team, we believe our implementation can be changed to prevent the need for this web view. We are currently targeting an upcoming release to make this change. We have a scheduled deployment which means you might see a release that does not include this, but expect it subsequently.

To answer your questions,

  1. No, this is not used to provide any user context or authorization services.
  2. Yes. We expect you to be able to sandbox this and maintain SDK functionality.
1 Like

Hi Michael,

Thank you very much for your feedback. Good news, we will definitely look forward for the upcoming releases for this change.

Good to know we can also sandbox anything if needed.

Regards.

1 Like