Apache Patches Cordova Android Hole

Monday, June 1, 2015 @ 11:06 AM gHale

Apache mitigated a problem with Cordova Android could lead to problems with some apps, researchers said.

Apache Cordova allows developers to create cross-platform mobile apps using standard web technologies like HTML5, CSS3 and JavaScript. The vulnerability could lead to unauthorized configuration changes, the researchers said.

Apache HBase Fixes Flaws
Apache Hive Fixes Vulnerability
PuTTY Malware Steals Credentials
Apache Fixes Security Manager Hole

The apps execute in a wrapper specific for each platform and access the phone’s functions such as the accelerometer or the camera, via APIs (application programming interfaces). Android, iOS, Blackberry, Windows Phone are among the supported platforms.

The vulnerability can end up exploited remotely by an attacker to change how apps respond if they use the default behavior preferences defined in Cordova framework, said Seven She, mobile threat analyst at Trend Micro, who discovered the issue.

“These preferences could be explicitly set in config.xml in Cordova framework, or left undefined and implicitly linked to default values,” She said in a blog post. “It is important to note that many developers take the latter option in practice since not all of these preferences are necessary for their APPs.”

The app’s actions can be influenced when the user clicks on a URL from the attacker, She said.

Trend Micro said Cordova-based apps in Google Play account for 5.6 percent of all entries. It is unclear, though, how many of them rely on the default configuration.

Apache released versions 4.0.2 and 3.7.2 for Cordova Android to mitigate the risks. Variants for other mobile platforms do not suffer from the vulnerability identified as CVE-2015-1835.

The updates eliminate the possibility to change the configuration parameters via Intents.

Trend Micro created proof-of concept code and recorded a video that demonstrates the weakness and shows how a local Cordova-based app can end up injected with an arbitrary dialog.