Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Apache Cordova Vulnerabilities Expose Android Apps

A large number of mobile applications are affected by a series of vulnerabilities in the Android platform of Apache Cordova, researchers at IBM Security Systems reported on Tuesday.

A large number of mobile applications are affected by a series of vulnerabilities in the Android platform of Apache Cordova, researchers at IBM Security Systems reported on Tuesday.

Apache Cordova, previously known as PhoneGap, is a set of APIs that enable mobile application developers to access various device functions, such as accelerometer or camera, from JavaScript. The platform can be utilized to create smartphone apps with just JavaScript, CSS, and HTML if combined with mobile frameworks like jQuery Mobile.

Statistics from AppBrain show that 5.8% of Android apps are built using Apache Cordova, including some popular applications like Skype and Amazon. There are also several mobile banking apps created with Cordova (roughly 10% of the ones tested by researchers).

According to IBM’s Security X-Force Research team, the vulnerabilities they havefound can be easily exploited to steal sensitive information from impacted applications, in some cases even remotely if the victim can be tricked into visiting a malicious website.

Android VulnerabilityA total of three vulnerabilities have been found: a high-severity cross-application scripting (XAS) via Android intents (CVE-2014-3500), a medium-severity whitelist bypass for non-HTTP URLs (CVE-2014-3501), and another medium-severity issue that can lead to data leakage to other apps (CVE-2014-3502). The XAS flaw affects Cordova versions up to 3.5.0, while the other security holes impact all Cordova Android versions.

Before making its findings public, IBM notified the Apache Cordova development team, which released version 3.5.1 on Monday to address the security flaws.

While the XAS vulnerability is the most serious one because it allows the execution of arbitrary JavaScript code in the context of impacted Cordova-based applications, the other two issues can also be valuable to cybercriminals. That’s because they’re the ones that can be leveraged to send information back to the attacker.

In an attack scenario described by the company, the attacker lures a mobile banking application user to a malicious website that serves JavaScript code designed to exploit the Cordova vulnerabilities. By doing so, the attacker can gain access to sensitive session information from the targeted app, potentially allowing him to log in to the victim’s account and perform unauthorized transactions. This is a drive-by attack so the victim doesn’t need to interact with the malicious website for the exploit to be successful.

XAS attacks can be mitigated if developers don’t enable JavaScript. Another method is to not allow user data to fully control the URL of the WebView object, which is designed to allow developers to embed a browser within their own applications. Finally, exploitation can also be prevented by restricting JavaScript code loaded from file URIs from accessing files, a protection mechanism that has been implemented by Google starting with Android 4.1.

However, researchers point out that in practice it’s not easy to use these mitigations because Cordova apps need JavaScript to be enabled, and they need to allow universal access from file URIs because local files need to able to communicate with external resources.

Additional technical details on the exploitation of the Cordova framework are available in the white paper published by IBM.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.