A severe security flaw has been discovered within device APIs used to develop Android applications.
In a security bulletin posted this week, Cordova admitted a "major" security issue has been discovered in the API platform.
Discovered by the TrendMicro Mobile Threat Research Team (TRT), the security vulnerability allows attackers to modify an Android app's behavior via remote exploit if a victim clicks a malicious link.
This is due to a lack of explicit values set in Config.xml by Android apps built using the Cordova framework, therefore creating an opportunity for threat actors to set undefined secondary configuration variables. This can cause "unwanted dialogs appearing in applications and changes in the application behavior that can include the app force-closing," according to the foundation.
Designated as CVE-2015-1835, the security vulnerability does require particular conditions to exploit. At least one of the app's components must extend from Cordova's root activity -- CordovaActivity -- or the Cordova framework must be tampered with to make sure the framework's Config.java system is not properly secured. In addition, at least one of Cordova supported preferences -- except LogLevel and ErrorUrl -- is not defined in the configuration file config.xml. TRT says:
"We believe this vulnerability is highly exploitable because the conditions that need to be met for a successful exploit are common developer practices. Most Cordova-based apps do extend the "CordovaActivity" and very few explicitly define all preferences in their configuration.
Moreover, all of Cordova-based apps build from the Cordova Command-Line Interface(CLI)() automatically meet the exploit prerequisites mentioned earlier, thus all of them are vulnerable."
"Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself," TRT explained. An app's appearance could be altered, popups, splashscreens and adverts could be injected into an app's interface, the basic functionalities of an app may be tampered with or the app could be forced to crash due to the security flaw.
The security team also highlighted the fact that the majority of Cordova-based apps, which accounts for 5.6 percent of all apps in Google Play, are prone to exploit.
Cordova is releasing version 4.0.2. of the API set to fix these security issues, and recommends that all Android applications built using Cordova 4.0x or higher be upgraded to use version 4.0.2 of Cordova Android. Mobile app developers who have used older versions of Cordova can also upgrade to 3.7.2 to patch the same security issue. Other platforms are not believed to be affected by the vulnerability.