1 in 20 Android apps open to attack due to a flaw in the Apache Cordova API Framework

Security researchers at Trend Micro Security firm discovered that 1 in 20 Android apps open to attack due to a flaw in the Apache Cordova API Framework.

Researchers at Trend Micro have discovered a serious vulnerability (CVE-2015-1835) in the Apache Cordova  mobile API framework, that could be exploited by remotely by attackers to modify the behavior of apps just by clicking a URL. The flaw affects all versions of Apache Cordova up to 4.0.1 according to Apache.

“We’ve discovered a vulnerability in the Apache Cordova app framework that allows attackers to modify the behaviour of apps just by clicking a URL,”states the blog post published by TrendMicro.

“The extent of the modifications can range from causing nuisance for app users to crashing the apps completely.” states the blog post published by TrendMicro.

The Apache Cordova mobile API framework is used by one in 20 (5,6%) Android applications present in the in Google Play.

The vulnerability was confirmed also by Apache that issued a security bulletin:

“A major Security issue were discovered in the Android platform of Cordova. We are releasing version 4.0.2 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova 4.0.x or higher be upgraded to use version 4.0.2 of Cordova Android. If you are using an older version of Cordova, we have also released 3.7.2 with the same fix, and we recommend that you at upgrade your project to either of these fixed versions.” states the security bulletin.

The flaw resides in the way the Cordova API framework handles app developer preferences, which are a set of variables reserved for developers to configure their apps.

“Any tampering with these variables during runtime initialisation will certainly mess up the app’s normal behaviour.”

The Apache Cordova API framework up to 4.0.1 supports the following preferences:

  • Fullscreen
  • DisallowOverscroll
  • BackgroundColor
  • Orientation
  • KeepRunning
  • LoadUrlTimeoutValue
  • SplashScreen
  • SplashScreenDelay
  • InAppBrowserStorageEnabled
  • LoadingDialog
  • LoadingPageDialog
  • ErrorUrl
  • ShowTitle
  • LogLevel
  • SetFullscreen
  • AndroidLaunchMode
  • DefaultVolumeStream

The CVE-2015-1835 vulnerability can be exploited for a number of purposes, including tampering with the UI’s appearance, injecting texts, pop-ups, and splash screens, modifying basic features implemented by the app or crashing it.

The researchers at Trend Micro have also  published proof-of-concept attacks the vulnerability and invited Android developers to manually adjust the preferences for their applications.

“We privately disclosed this vulnerability to Apache, and they have released an official bulletin,” said Trend Micro.

“We suggest Android app developers upgrade their Cordova framework to the latest version (version 4.0.2) and rebuild to a new release. This will prevent apps from being modified by attackers targeting this vulnerability.”

The researchers highlighted that the successful exploit of the flaw is possible only is the following conditions are required to successfully exploit this vulnerability:

  • At least one of the application’s components extending from Cordova’s base activity: CordovaActivity or configuring Cordova framework such that Config.java is not properly secured, meaning it is accessible from outside the app.
  • At least one of Cordova supported preferences (except LogLevel and ErrorUrl) is not defined in the configuration file: config.xml.

Pierluigi Paganini

(Security Affairs –  Cordova API framework, Android)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

8 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

12 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

21 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

1 day ago

This website uses cookies.