A large number of mobile applications are affected by a series of vulnerabilities in the Android platform of Apache Cordova, researchers at IBM Security Systems reported on Tuesday.
Apache Cordova, previously known as PhoneGap, is a set of APIs that enable mobile application developers to access various device functions, such as accelerometer or camera, from JavaScript. The platform can be utilized to create smartphone apps with just JavaScript, CSS, and HTML if combined with mobile frameworks like jQuery Mobile.
Statistics from AppBrain show that 5.8% of Android apps are built using Apache Cordova, including some popular applications like Skype and Amazon. There are also several mobile banking apps created with Cordova (roughly 10% of the ones tested by researchers).
According to IBM’s Security X-Force Research team, the vulnerabilities they havefound can be easily exploited to steal sensitive information from impacted applications, in some cases even remotely if the victim can be tricked into visiting a malicious website.
A total of three vulnerabilities have been found: a high-severity cross-application scripting (XAS) via Android intents (CVE-2014-3500), a medium-severity whitelist bypass for non-HTTP URLs (CVE-2014-3501), and another medium-severity issue that can lead to data leakage to other apps (CVE-2014-3502). The XAS flaw affects Cordova versions up to 3.5.0, while the other security holes impact all Cordova Android versions.
Before making its findings public, IBM notified the Apache Cordova development team, which released version 3.5.1 on Monday to address the security flaws.
While the XAS vulnerability is the most serious one because it allows the execution of arbitrary JavaScript code in the context of impacted Cordova-based applications, the other two issues can also be valuable to cybercriminals. That’s because they’re the ones that can be leveraged to send information back to the attacker.
In an attack scenario described by the company, the attacker lures a mobile banking application user to a malicious website that serves JavaScript code designed to exploit the Cordova vulnerabilities. By doing so, the attacker can gain access to sensitive session information from the targeted app, potentially allowing him to log in to the victim’s account and perform unauthorized transactions. This is a drive-by attack so the victim doesn’t need to interact with the malicious website for the exploit to be successful.
XAS attacks can be mitigated if developers don’t enable JavaScript. Another method is to not allow user data to fully control the URL of the WebView object, which is designed to allow developers to embed a browser within their own applications. Finally, exploitation can also be prevented by restricting JavaScript code loaded from file URIs from accessing files, a protection mechanism that has been implemented by Google starting with Android 4.1.
However, researchers point out that in practice it’s not easy to use these mitigations because Cordova apps need JavaScript to be enabled, and they need to allow universal access from file URIs because local files need to able to communicate with external resources.
Additional technical details on the exploitation of the Cordova framework are available in the white paper published by IBM.
