Security bug in Cordova allows a single URL click to tamper Android Apps

Security flaw in the Apache Cordova developer framework could allow for malicious injections into Android apps.

A serious security glitch has been found inside the device APIs used to develop Android applications.

Developed by The Apache Software Foundation, Apache Cordova, is a set of tools of device APIs used by mobile app developers to approach native device functions including accelerometer and cameras from JavaScript.

The APIs give a Javascript library to appeal to different functions. When this is used with Cordova, mobile apps can be built using web technologies such as CSS, HTML and Javascript. The service is adaptable with the Windows Phone, Android, iOS, Blackberry, Bada, Palm WebOS, and Symbian platforms.

Cordova had confessed in a security bulletin posted this week that a “major” security issue has been found in the API platform.

Identified by the TrendMicro Mobile Threat Research Team (TRT), the security susceptibility allows attackers to modify the behavior of Android apps by just clicking a URL. The damage of the modifications can range from crashing the apps completely to causing annoyance for app users.

This is due to the deficiency of clear and detailed values set in Config.xml by Android apps built using the Cordova framework, which in turn creates an opportunity for threat actors to put undefined secondary configuration variables. According to the foundation, this can result in “unwanted dialogs appearing in applications and changes in the application behavior that can include the app force-closing.”

Labelled as CVE-2015-1835, the security susceptibility does require particular conditions to make full use of. At least one of the app’s elements must enlarge from Cordova’s root activity — CordovaActivity — or the Cordova framework must be interfered with to ensure that the framework’s Config.java system is not properly protected. Further, at least one of Cordova supported preferences — except ErrorUrl and LogLevel — is not defined in the configuration file config.xml. TRT says:

“We believe this vulnerability is highly exploitable because the conditions that need to be met for a successful exploit are common developer practices. Most Cordova-based apps do extend the “CordovaActivity” and very few explicitly define all preferences in their configuration.

Moreover, all of Cordova-based apps build from the Cordova Command-Line Interface(CLI)() automatically meet the exploit prerequisites mentioned earlier, thus all of them are vulnerable.”
TRT explained “Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself.” An app’s looks could be changed, popups, advertisements and splashscreens could be administered into an app’s interface, the basic functionalities of an app may be interfered with or the app could be forced to crash due to the security fault.

Majority of the Cordova-based app’s that accounts for 5.6 percent of all apps in Google Play are liable to exploit, a fact that was highlighted by the security team.

To fix these security issues, Cordova is releasing version 4.0.2. of the API set. It also suggests that all Android applications built using Cordova 4.0x or higher must be upgraded to use version 4.0.2 of Cordova Android. Mobile app developers who are using older versions of Cordova can also upgrade to 3.7.2 to fix the same security issue. Other platforms are believed not to be influenced by the susceptibility.