Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Apache Cordova Vulnerabilities Expose Android Apps

A large number of mobile applications are affected by a series of vulnerabilities in the Android platform of Apache Cordova, researchers at IBM Security Systems reported on Tuesday.

A large number of mobile applications are affected by a series of vulnerabilities in the Android platform of Apache Cordova, researchers at IBM Security Systems reported on Tuesday.

Apache Cordova, previously known as PhoneGap, is a set of APIs that enable mobile application developers to access various device functions, such as accelerometer or camera, from JavaScript. The platform can be utilized to create smartphone apps with just JavaScript, CSS, and HTML if combined with mobile frameworks like jQuery Mobile.

Statistics from AppBrain show that 5.8% of Android apps are built using Apache Cordova, including some popular applications like Skype and Amazon. There are also several mobile banking apps created with Cordova (roughly 10% of the ones tested by researchers).

According to IBM’s Security X-Force Research team, the vulnerabilities they havefound can be easily exploited to steal sensitive information from impacted applications, in some cases even remotely if the victim can be tricked into visiting a malicious website.

Android VulnerabilityA total of three vulnerabilities have been found: a high-severity cross-application scripting (XAS) via Android intents (CVE-2014-3500), a medium-severity whitelist bypass for non-HTTP URLs (CVE-2014-3501), and another medium-severity issue that can lead to data leakage to other apps (CVE-2014-3502). The XAS flaw affects Cordova versions up to 3.5.0, while the other security holes impact all Cordova Android versions.

Before making its findings public, IBM notified the Apache Cordova development team, which released version 3.5.1 on Monday to address the security flaws.

While the XAS vulnerability is the most serious one because it allows the execution of arbitrary JavaScript code in the context of impacted Cordova-based applications, the other two issues can also be valuable to cybercriminals. That’s because they’re the ones that can be leveraged to send information back to the attacker.

In an attack scenario described by the company, the attacker lures a mobile banking application user to a malicious website that serves JavaScript code designed to exploit the Cordova vulnerabilities. By doing so, the attacker can gain access to sensitive session information from the targeted app, potentially allowing him to log in to the victim’s account and perform unauthorized transactions. This is a drive-by attack so the victim doesn’t need to interact with the malicious website for the exploit to be successful.

Advertisement. Scroll to continue reading.

XAS attacks can be mitigated if developers don’t enable JavaScript. Another method is to not allow user data to fully control the URL of the WebView object, which is designed to allow developers to embed a browser within their own applications. Finally, exploitation can also be prevented by restricting JavaScript code loaded from file URIs from accessing files, a protection mechanism that has been implemented by Google starting with Android 4.1.

However, researchers point out that in practice it’s not easy to use these mitigations because Cordova apps need JavaScript to be enabled, and they need to allow universal access from file URIs because local files need to able to communicate with external resources.

Additional technical details on the exploitation of the Cordova framework are available in the white paper published by IBM.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.