Cordova flaw leaves Android apps open to attack

A "major" security vulnerability discovered within the Apache Cordova toolkit of device applications programming interfaces (APIs) leaves a significant number of Android applications open to remote exploit.

The Apache Cordova mobile API framework is used by one in 20 Android applications.

It lets developers access native device functions to build mobile applications across a number of different mobile operating systems including iOS and Android.

The Apache Software Foundation this week reported that the TrendMicro Mobile Threat Research Team had discovered a major security vulnerability in Cordova which would allow attackers to potentially change the behaviour of an Android app via remote exploit.

The vulnerability arises from a flaw in the way developer preferences are handled in the framework.

"The vulnerability is found in a Cordova feature where secondary configuration variables (also known as 'preferences') could be set from intent bundles in the base activity," Trend Micro wrote.

"Preferences are a set of variables reserved for developers to configure their apps. They are the sources of the build-in characteristics of Cordova-based apps and should be controlled only by app developers.

A successful attack can only be carried out if at least one of the app's components extend from Cordova's root activity, or the framework is altered to unsecure its Config.java system.

On top of that, at least one of Cordova's supported preferences -- any except LogLevel and ErrorUrl -- must not be defined in the configuration file config.xml. 

The TrendMobile team said the vulnerability was highly exploitable because the conditions that need to be met for a successful attack are common developer practices.

"Most Cordova-based apps do extend the "CordovaActivity" and very few explicitly define all preferences in their configuration," the team wrote.

"Moreover, all of Cordova-based apps build from the Cordova Command-Line Interface (CLI) automatically meet the exploit prerequisites mentioned earlier, thus all of them are vulnerable."

The team found that an app's appearance could be altered if the base activity was not properly secured and the preferences set to default.

Attackers could inject pop-ups and ads into an app's interface, tamper with its basic functionality, or force the app to crash.

More than five percent of all apps in the Google Play store used Cordova, the team wrote. All versions of the toolkit are affected.

Apache has released an updated version of the API framework to address the vulnerability.

It recommended all developers who built their apps on the Cordova 4.0 or higher version upgrade to the most recent version.

The flaw is the second discovered in Cordova in recent times.

In August last year, IBM security researchers found a serious security hole - previously known as Adobe PhoneGap - which potentially affected some 77,000 apps in the Google Play store, including banking and finance programs.