Security vuln allows Android app tampering through single URL click

A serious security flaw discovered in the Apache Cordova developer framework could allow for malicious injections into Android apps.


A severe security flaw has been discovered within device APIs used to develop Android applications.

Apache Cordova, developed by The Apache Software Foundation, is a toolkit of device APIs used by mobile app developers to access native device functions including cameras and accelerometer from JavaScript.

The APIs provide a Javascript library to invoke different functions, and when used with Cordova, mobile apps can be built using web technologies such as HTML, CSS and Javascript. The service is compatible with the iOS, Android, Blackberry, Windows Phone, Palm WebOS, Bada, and Symbian platforms.

In a security bulletin posted this week, Cordova admitted a "major" security issue has been discovered in the API platform.

Discovered by the TrendMicro Mobile Threat Research Team (TRT), the security vulnerability allows attackers to modify an Android app's behavior via remote exploit if a victim clicks a malicious link.

This is due to a lack of explicit values set in Config.xml by Android apps built using the Cordova framework, therefore creating an opportunity for threat actors to set undefined secondary configuration variables. This can cause "unwanted dialogs appearing in applications and changes in the application behavior that can include the app force-closing," according to the foundation.

Designated as CVE-2015-1835, the security vulnerability does require particular conditions to exploit. At least one of the app's components must extend from Cordova's root activity -- CordovaActivity -- or the Cordova framework must be tampered with to make sure the framework's system is not properly secured. In addition, at least one of Cordova supported preferences -- except LogLevel and ErrorUrl -- is not defined in the configuration file config.xml. TRT says:

"We believe this vulnerability is highly exploitable because the conditions that need to be met for a successful exploit are common developer practices. Most Cordova-based apps do extend the "CordovaActivity" and very few explicitly define all preferences in their configuration.

Moreover, all of Cordova-based apps build from the Cordova Command-Line Interface(CLI)() automatically meet the exploit prerequisites mentioned earlier, thus all of them are vulnerable."

"Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself," TRT explained. An app's appearance could be altered, popups, splashscreens and adverts could be injected into an app's interface, the basic functionalities of an app may be tampered with or the app could be forced to crash due to the security flaw.

The security team also highlighted the fact that the majority of Cordova-based apps, which accounts for 5.6 percent of all apps in Google Play, are prone to exploit.

Cordova is releasing version 4.0.2. of the API set to fix these security issues, and recommends that all Android applications built using Cordova 4.0x or higher be upgraded to use version 4.0.2 of Cordova Android. Mobile app developers who have used older versions of Cordova can also upgrade to 3.7.2 to patch the same security issue. Other platforms are not believed to be affected by the vulnerability.