A large number of mobile applications are affected by a series of vulnerabilities in the Android platform of Apache Cordova, researchers at IBM Security Systems reported on Tuesday.
Statistics from AppBrain show that 5.8% of Android apps are built using Apache Cordova, including some popular applications like Skype and Amazon. There are also several mobile banking apps created with Cordova (roughly 10% of the ones tested by researchers).
According to IBM’s Security X-Force Research team, the vulnerabilities they havefound can be easily exploited to steal sensitive information from impacted applications, in some cases even remotely if the victim can be tricked into visiting a malicious website.
A total of three vulnerabilities have been found: a high-severity cross-application scripting (XAS) via Android intents (CVE-2014-3500), a medium-severity whitelist bypass for non-HTTP URLs (CVE-2014-3501), and another medium-severity issue that can lead to data leakage to other apps (CVE-2014-3502). The XAS flaw affects Cordova versions up to 3.5.0, while the other security holes impact all Cordova Android versions.
Before making its findings public, IBM notified the Apache Cordova development team, which released version 3.5.1 on Monday to address the security flaws.
Additional technical details on the exploitation of the Cordova framework are available in the white paper published by IBM.