Pierluigi Paganini May 29, 2015

Security researchers at Trend Micro Security firm discovered that 1 in 20 Android apps open to attack due to a flaw in the Apache Cordova API Framework.

Researchers at Trend Micro have discovered a serious vulnerability (CVE-2015-1835) in the Apache Cordova  mobile API framework, that could be exploited by remotely by attackers to modify the behavior of apps just by clicking a URL. The flaw affects all versions of Apache Cordova up to 4.0.1 according to Apache.

“We’ve discovered a vulnerability in the Apache Cordova app framework that allows attackers to modify the behaviour of apps just by clicking a URL,”states the blog post published by TrendMicro.

“The extent of the modifications can range from causing nuisance for app users to crashing the apps completely.” states the blog post published by TrendMicro.

The Apache Cordova mobile API framework is used by one in 20 (5,6%) Android applications present in the in Google Play.

The vulnerability was confirmed also by Apache that issued a security bulletin:

“A major Security issue were discovered in the Android platform of Cordova. We are releasing version 4.0.2 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova 4.0.x or higher be upgraded to use version 4.0.2 of Cordova Android. If you are using an older version of Cordova, we have also released 3.7.2 with the same fix, and we recommend that you at upgrade your project to either of these fixed versions.” states the security bulletin.

The flaw resides in the way the Cordova API framework handles app developer preferences, which are a set of variables reserved for developers to configure their apps.

“Any tampering with these variables during runtime initialisation will certainly mess up the app’s normal behaviour.”

The Apache Cordova API framework up to 4.0.1 supports the following preferences:

• Fullscreen
• DisallowOverscroll
• BackgroundColor
• Orientation
• KeepRunning
• LoadUrlTimeoutValue
• SplashScreen
• SplashScreenDelay
• InAppBrowserStorageEnabled
• LoadingDialog
• LoadingPageDialog
• ErrorUrl
• ShowTitle
• LogLevel
• SetFullscreen
• AndroidLaunchMode
• DefaultVolumeStream

The CVE-2015-1835 vulnerability can be exploited for a number of purposes, including tampering with the UI’s appearance, injecting texts, pop-ups, and splash screens, modifying basic features implemented by the app or crashing it.

The researchers at Trend Micro have also  published proof-of-concept attacks the vulnerability and invited Android developers to manually adjust the preferences for their applications.

“We privately disclosed this vulnerability to Apache, and they have released an official bulletin,” said Trend Micro.

“We suggest Android app developers upgrade their Cordova framework to the latest version (version 4.0.2) and rebuild to a new release. This will prevent apps from being modified by attackers targeting this vulnerability.”

The researchers highlighted that the successful exploit of the flaw is possible only is the following conditions are required to successfully exploit this vulnerability:

• At least one of the application’s components extending from Cordova’s base activity: CordovaActivity or configuring Cordova framework such that Config.java is not properly secured, meaning it is accessible from outside the app.
• At least one of Cordova supported preferences (except LogLevel and ErrorUrl) is not defined in the configuration file: config.xml.

Pierluigi Paganini

(Security Affairs –  Cordova API framework, Android)