High-severity flaw can be exploited remotely

May 28, 2015 08:28 GMT  ·  By

Android apps built with Apache Cordova are susceptible to unauthorized configuration changes that could cause them to display unwanted dialog boxes or terminate their activity.

Apache Cordova allows developers to create cross-platform mobile apps using standard web technologies like HTML5, CSS3 and JavaScript. iOS, Android, Blackberry, Windows Phone are among the supported platforms.

The apps execute in a wrapper specific for each platform and access the phone’s functions such as the accelerometer or the camera, via APIs (application programming interfaces).

Attacker can modify default configuration parameters

Seven She, mobile threat analyst at Trend Micro, found a high-severity security flaw that can be exploited remotely by an attacker to change how apps respond if they use the default behavior preferences defined in Cordova framework.

“These preferences could be explicitly set in config.xml in Cordova framework, or left undefined and implicitly linked to default values. It is important to note that many developers take the latter option in practice since not all of these preferences are necessary for their APPs.

"Once a preference is not explicitly configured in config.xml, the Cordova framework will set it from intent bundles in the base activity,” She explains in a blog post on Wednesday.

The researcher says that an attacker can rely on local compromised apps to inject malicious Intent bundles; alternatively, they can be added from a remote web server, meaning that the app’s actions can be influenced when the user clicks on a URL from the attacker.

Proof-of-concept code released, demo videos, too

Trend Micro says that Cordova-based apps in Google Play account for 5.6% of all entries. It is unclear, though, how many of them rely on the default configuration.

Apache released versions 4.0.2 and 3.7.2 for Cordova Android to mitigate the risks. Variants for other mobile platforms are not affected by the vulnerability which is identified as CVE-2015-1835.

The updates eliminate the possibility to change the configuration parameters via Intents.

Trend Micro created proof-of concept code and recorded a video (embedded below) that demonstrates the weakness and shows how a local Cordova-based app can be injected with an arbitrary dialog.

Furthermore, security researchers made videos showing their exploit injecting splash screens in an affected app, modifying the background color parameter, tampering with the fullscreen display setting or the volume control.