Security Experts:

Serious Flaw in Apache Cordova Puts Android Apps at Risk

Researchers at Trend Micro have identified a high severity vulnerability in the Android version of Apache Cordova. Updates have been released to address the security bug.

Apache Cordova, an open source distribution of PhoneGap, is a popular platform designed for building native mobile applications using HTML, CSS and JavaScript. The Apache Cordova APIs allow mobile developers to access a device’s native functions, such as the camera and accelerometer, from JavaScript.

According to Seven Shen, the Trend Micro mobile threat analyst credited for discovering the flaw, an attacker can exploit the vulnerability to modify the behavior of Android applications built on the Apache Cordova framework by getting the victim to visit a specially crafted website.

The vulnerability, related to secondary configuration variables in Apache Cordova for Android (CVE-2015-1835), allows an attacker to tamper with the targeted application or cause it to crash.

Secondary configuration variables, also known as preferences, allow developers to configure their apps. The list of preferences includes SetFullscreen, BackgroundColor, SplashScreen, Orientation, LoadingPageDialog, and DefaultVolumeStream. Developers can configure these preferences in the config.xml file or they can leave them undefined with default values, which many developers do, according to Shen.

“The vulnerability is found in a Cordova feature where secondary configuration variables could be set from intent bundles in the base activity,” Shen said in a blog post. “Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself.”

Trend Micro has created proof-of-concept (PoC) applications to demonstrate that a malicious actor can leverage the vulnerability to push pop-ups, inject splash screens, change an app’s background color and display settings, and tamper with the volume button controller. Injecting special data into the intent bundle can cause an application to crash, Shen said.

Statistics from AppBrain show that Apache Cordova is used in roughly 5.6 percent of the applications hosted on Google Play and most of them could be affected by the vulnerability, which plagues Cordova 4.0.1 and earlier.

Apache Cordova developers have released versions 4.0.2 and 3.7.2 to patch the security hole. The issue only appears to affect Android, so updates for iOS and other platforms have not been released.

“The latest release of Cordova Android entirely removes the ability of configuration parameters to be set by intents. This change is an API change in the platform, and third-party plugins that use values set in the config.xml should make sure that they use the preferences API instead of relying on the Intent bundle, which can be manipulated in this case,” explained Joe Bowser, one of the co-creators of PhoneGap who currently works on the Apache Cordova project.

“Developers who are concerned about this should rebuild their applications with Cordova Android 4.0.2. Developers unable to upgrade to 4.0.2 also have the option of upgrading to Cordova Android 3.7.2. Developers should also make sure that variables that they wish to have protected are specified in their config.xml,” Bowser added.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.