Apache Cordova vulnerability puts Android apps in danger

Android applications developed via Cordova (a new update from Apache to develop applications) are vulnerable to illegal configuration alterations that could root the apps to display annoying popup boxes or shut down their action. The glitch allows the hacker to change victim’s apps’ behavior at will.

Apache Cordova enable developers to build cross-platform smartphone applications using typical internet technologies like CSS3, HTML5 and JavaScript. Android, iOS, Windows and Blackberry mobiles are among the supported systems.

The applications perform in a wrapper specific for every single platform and gains access to the mobile’s functions just like the camera or the accelerometer, through APIs.

Hacker can alter the default setting parameters

Trend Micro’s smartphone threat analyst, Seven She, discovered a major security error which can be abused remotely by a hacker to alter how applications response if they utilize the default setting well-defined in Apache Cordova system.

These preferences could be clearly fixed in config.xml within system (Apache Cordova), or left implicated and undefineably linked to the default settings. It is vital to note that lots of developers take the final option in training since not all of these settings are compulsory for their applications.

Seven She said in her blog post on Wednesday, “Once a preference is not explicitly configured in config.xml, the Cordova framework will set it from intent bundles in the base activity.”

The researcher states that a hacker can depend on local vulnerable applications to inject malevolent Intent packages; on the other hand, Malwares can be injected via a remote internet server, which shows that the application’s performance can be prejudiced when the consumer get on a link from the hacker.

Sample videos and Proof-of-idea released

As per Trend Micro statement the applications which are based on Cordova system comprise 5.6 percent of all application available on the Google Play. It is not clear, however, what are the number of applications which depend on default setting.

Apache released editions 3.7.2 and 4.0.2 for Android system to lessen the dangers. Alternatives for other smartphone systems are not pretentious by the bug, which is recognized as CVE 2015-1835.

Apache latest updates reduce the chance to alter the default configuration setting via Intents.

Moreover, security experts created videos presenting their activity adding white screens in a compromised application, altering the wallpaper color, interfering with the sound control and full-screen setting.

Statements from Trend Micro

Trend Micro wrote, “The vulnerability is found in a Cordova feature where secondary configuration variables (also known as ‘preferences’) could be set from intent bundles in the base activity.”

While the TRT (TrendMicro Mobile Threat Research Team) says, “We believe this vulnerability is highly exploitable because the conditions that need to be met for a successful exploit are common developer practices. Most Cordova-based apps do extend the “CordovaActivity” and very few explicitly define all preferences in their configuration.

Moreover, all of Cordova-based apps build from the Cordova Command-Line Interface (CLI)() automatically meet the exploit prerequisites mentioned earlier, thus all of them are vulnerable.”

They explained that, “Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself.”

Top/Featured Image: By Hefin Richards / Wikimedia Commons

Ali Raza Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a Master degree, now he combines his passions for writing about internet security and technology for SecurityGladiators. When he is not working, he loves traveling and playing games.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.