A new vulnerability has recently been detected that affects 5,6% of the applications currently available in Google Play. These programs are based on Apache´s Cordova development framework designed with versions equal to or lower than 4.0.1.
¿What does it consist of?
When a project based on Cordova is created, a series of preferences are defined that natively affect the application’s basic performance by defining parameters such as background color or the splashscreen image or splashscreen loading time. That way, the application launches with those preferences.
The vulnerability now detected, called CVE-2015-1835, enables those preferences to be added from a url run on an Android browser (url type schema) when they have not been pre-defined. That means you can change the application background color or the splashscreen for an image stored internally by the application.
Once the application is launched from that new address, it boots with those preferences, but when it is closed down and re-booted from scratch, the configuration is lost.
¿What preferences are at risk?
Given that the vulnerability affects the Android mobile operating system, the available preferences are as follows:
FullScreen, permite cambiar el modo de la aplicación.
DisallowOverscroll, if you do not want feedback when the user scrolls to the beginning or the end.
BackgroundColor, creates a “background color”
Orientation, defines the orientation in which the app runs – landscape or portrait.
KeepRunning, stops the app from dying when it is paused, but may lead to extreme power consumption.
LoadUrlTimeoutValue, this is critical and may cause problems when booting.
SplashScreen, initial loading image.
SplashScreenDelay, period of time until the splash image disappears.
InAppBrowserStorageEnabled, controls whether pages opened with InAppBrowser can Access the same localStorage and WebSQL as pages opened by the default browser.
LoadingDialog, Heading and message displayed when the home page is loading.
LoadingPageDialog, The same as LoadingDialog but for when all the other pages are loading.
ErrorUrl, redirection to display an application error
ShowTitle, the title is displayed at the top of the app.
LogLevel, to obtain a log of
SetFullscreen, to display the application in fullscreen or not.
AndroidLaunchMode, defines the “Activity
DefaultVolumeStream, defines what type of volume is enabled via the physical volume key.
¿What´s the risk for my Cordova application?
The harm that can be done depends on the preference to be changed, e.g. changing how the volume button performs in the application is not the same as commanding a program using GPS location every second not to shut down, so the battery discharges in just a few hours.
That is why the important thing is to think about the preferences you have defined on your application and assess what sort of damage could be done. Also, in order to run the vulnerability, you need to know what the name of the main activity is in case the one used as default by Cordova (‘MainActivity’) has not been used.
It should also be noted that the effects of this vulnerability do not stay in the application, i.e. once the application stops running and is re-started, the “bad” preferences do not run. Therefore, the advice is to update applications to version 4.0.2 or to version 3.7.2 of Apache Cordova.
It is our responsibility as developers
In any software development, whether for mobiles or not, we have to be careful and on the lookout for possible programming errors, that may be our own or someone else’s, and always keep abreast of all the security updates for any software component being used.
If you want to check whether your application is exposed to some kind of vulnerability, please do not hesitate to contact us at email@example.com