Connect with us

Hi, what are you looking for?



Serious Flaw in Apache Cordova Puts Android Apps at Risk

Researchers at Trend Micro have identified a high severity vulnerability in the Android version of Apache Cordova. Updates have been released to address the security bug.

Researchers at Trend Micro have identified a high severity vulnerability in the Android version of Apache Cordova. Updates have been released to address the security bug.

Apache Cordova, an open source distribution of PhoneGap, is a popular platform designed for building native mobile applications using HTML, CSS and JavaScript. The Apache Cordova APIs allow mobile developers to access a device’s native functions, such as the camera and accelerometer, from JavaScript.

According to Seven Shen, the Trend Micro mobile threat analyst credited for discovering the flaw, an attacker can exploit the vulnerability to modify the behavior of Android applications built on the Apache Cordova framework by getting the victim to visit a specially crafted website.

The vulnerability, related to secondary configuration variables in Apache Cordova for Android (CVE-2015-1835), allows an attacker to tamper with the targeted application or cause it to crash.

Secondary configuration variables, also known as preferences, allow developers to configure their apps. The list of preferences includes SetFullscreen, BackgroundColor, SplashScreen, Orientation, LoadingPageDialog, and DefaultVolumeStream. Developers can configure these preferences in the config.xml file or they can leave them undefined with default values, which many developers do, according to Shen.

“The vulnerability is found in a Cordova feature where secondary configuration variables could be set from intent bundles in the base activity,” Shen said in a blog post. “Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself.”

Trend Micro has created proof-of-concept (PoC) applications to demonstrate that a malicious actor can leverage the vulnerability to push pop-ups, inject splash screens, change an app’s background color and display settings, and tamper with the volume button controller. Injecting special data into the intent bundle can cause an application to crash, Shen said.

Advertisement. Scroll to continue reading.

Statistics from AppBrain show that Apache Cordova is used in roughly 5.6 percent of the applications hosted on Google Play and most of them could be affected by the vulnerability, which plagues Cordova 4.0.1 and earlier.

Apache Cordova developers have released versions 4.0.2 and 3.7.2 to patch the security hole. The issue only appears to affect Android, so updates for iOS and other platforms have not been released.

“The latest release of Cordova Android entirely removes the ability of configuration parameters to be set by intents. This change is an API change in the platform, and third-party plugins that use values set in the config.xml should make sure that they use the preferences API instead of relying on the Intent bundle, which can be manipulated in this case,” explained Joe Bowser, one of the co-creators of PhoneGap who currently works on the Apache Cordova project.

“Developers who are concerned about this should rebuild their applications with Cordova Android 4.0.2. Developers unable to upgrade to 4.0.2 also have the option of upgrading to Cordova Android 3.7.2. Developers should also make sure that variables that they wish to have protected are specified in their config.xml,” Bowser added.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.