Friend Finder App
Video content:
0:00 - Example address book on the mobile device
0:16 - Loading friend finder in the PhoneGap Developer App
0:25 - Fully loaded app
0:33 - Comparing local address book against server using hashed values, resulting in one hit.
In this scenario we consider a completely untrusted application server. The client obtains the code from a trusted source. We use the Apache Cordova framework to package the client-side functionality as an app that can be distributed to mobile devices via a trusted channel. Cordova also provides access to the address book of the device. The program can access the address book only via a function defined in the policy, whose main purpose is to assign a high security level to the contact details. The policy allows declassification by means of a hash function on strings. Leakage of plain contact details to the untrusted server is prevented by assigning a low security level to the arguments and side-effects of RPC functions. The following snippet illustrates a secure and an insecure RPC call:
// Allowed: Look-up of hashed phone number
let rpcResult = remoteLookup (Hash phoneNumber)
// Blocked: Look-up of plain phone number
let rpcResult’ = remoteLookup phoneNumber
The scenario consists of 62 F# and 9966 generated Javascript LOCs.