Friend Finder App

Video content:

• • 0:00 - Example address book on the mobile device

  • 0:16 - Loading friend finder in the PhoneGap Developer App

  • 0:25 - Fully loaded app

  • 0:33 - Comparing local address book against server using hashed values, resulting in one hit.

In this scenario we consider a completely untrusted application server. The client obtains the code from a trusted source. We use the Apache Cordova framework to package the client-side functionality as an app that can be distributed to mobile devices via a trusted channel. Cordova also provides access to the address book of the device. The program can access the address book only via a function defined in the policy, whose main purpose is to assign a high security level to the contact details. The policy allows declassification by means of a hash function on strings. Leakage of plain contact details to the untrusted server is prevented by assigning a low security level to the arguments and side-effects of RPC functions. The following snippet illustrates a secure and an insecure RPC call:

// Allowed: Look-up of hashed phone number

let rpcResult = remoteLookup (Hash phoneNumber)

// Blocked: Look-up of plain phone number

let rpcResult’ = remoteLookup phoneNumber

The scenario consists of 62 F# and 9966 generated Javascript LOCs.