We’ve discovered a vulnerability in the Apache Cordova app framework that allows attackers to modify the behavior of apps just by clicking a URL. The extent of the modifications can range from causing nuisance for app users to crashing the apps completely.
Designated as CVE-2015-1835, this high-severity vulnerability affects all versions of Apache Cordova up to 4.0.1. Apache has released a security bulletin confirming the vulnerability. This means that majority of Cordova-based apps, which accounts for 5.6% of all apps in Google Play, are prone to exploits.
The vulnerability is found in a Cordova feature where secondary configuration variables (also as preferences) could be set from intent bundles in the base activity. This feature was part of a code update (also known as commit in Github) Apache released in November 2010, along with the Cordova Android update to 0.9.3.
Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself.
Prerequisites for a successful exploit
Only two conditions are required to successfully exploit this vulnerability:
- At least one of the application’s components extending from Cordova’s base activity: CordovaActivity or configuring Cordova framework such that Config.java is not properly secured, meaning it is accessible from outside the app.
- At least one of Cordova supported preferences (except LogLevel and ErrorUrl) is not defined in the configuration file: config.xml.
How it works
To understand how the vulnerability works, we’ll look into how preferences are set in apps.
Secondary configuration variables, also known as preferences, are set of variables reserved for developers to configure their apps. They are the sources of the build-in characteristics of Cordova-based Apps and should be only controlled by app developers. Any tampering to these variables during runtime initialization will certainly mess up the APP’s normal behaviors.
The Apache Cordova framework on Android (up to 4.0.1) supports the following preferences:
- Fullscreen
- DisallowOverscroll
- BackgroundColor
- Orientation
- KeepRunning
- LoadUrlTimeoutValue
- SplashScreen
- SplashScreenDelay
- InAppBrowserStorageEnabled
- LoadingDialog
- LoadingPageDialog
- ErrorUrl
- ShowTitle
- LogLevel
- SetFullscreen
- AndroidLaunchMode
- DefaultVolumeStream
These preferences could be explicitly set in config.xml in Cordova framework, or left undefined and implicitly linked to default values. It is important to note that many developers take the latter option in practice since not all of these preferences are necessary for their APPs. Once a preference is not explicitly configured in config.xml, the Cordova framework will set it from intent bundles in the base activity.
Figure 1. The app loads the intent bundle and copies it to preference during initialization in CordovaActivity
Figure 2. The app loads the preference value from its bundle when it is absent in config.xml
App developers are usually guided to extend CordovaActivity in their applications to make this hybrid framework work.
Figure 3. A subclass extent from CordovaActivity to launch web pages
Unfortunately, in this case, it is this common developer guidance that leaves apps vulnerable to attacks. The activity being extended means that it is accessible from outside the app, so attackers can inject malicious intent bundles to the activity to tamper the build-in characteristics of app, either from remote web servers, or local compromised apps.
We discovered that all of these preferences except LogLevel and ErrorUrl could be exploited. The Cordova framework handles the two preferences in a specific way which makes them immune to this vulnerability.
We believe this vulnerability is highly exploitable because the conditions that need to be met for a successful exploit are common developer practices. Most Cordova-based apps do extend the “CordovaActivity” and very few explicitly define all preferences in their configuration. Moreover, all of Cordova-based apps build from the Cordova Command-Line Interface(CLI)() automatically meet the exploit prerequisites mentioned earlier, thus all of them are vulnerable.
Proof-of-Concept
We’ve created a demo of a typical remote intent injection attack which utilizes a previous disclosed vulnerability of the intent URL scheme in a vulnerable Android device: a Huawei T950E smartphone.
Here is the HTML code located on the remote server:
<html>
<body bgcolor=white text=red>
<font size=10>Your Cordova APP</center>
<br>
<font size=20> is hacked!!</font>
<script>
setTimeout(function()
{location.href=”intent:#Intent;S.loadingpagedialog=hacked,haha..blabla..please contact with www.trendmicro.com.cn or send to seven_shen@trendmicro.com.cn for solotion ;SEL;component=com.trendmicro.justademo/.MainActivity;end;”},5000);
</script>
</body>
</html>
Just by accessing the page on the device stock browser, the local designed Cordova-based app could be injected with an unwanted dialog along with the pushed tile and text messages. A video of how this works can be seen in the demo video here:
We can also modify other app preferences, and created demo videos for these cases:
- Exploiting SplashScreen and SplashScreenDelay to inject splash screens in Cordova-based apps with any resources under “res/drawable” and keep the display time as wanted
- Exploiting BackgroundColor to tamper with the Cordova-based app’s background color
- Exploiting SetFullScreen to tamper with the Cordova-based app’s display setting
- Exploiting DefaultVolumeStream to tamper the basic feature of volume button controller (e.g., replace the control on phone call by default with the control on media)
We also found that it is possible to remotely crash Cordova-based apps by injecting special data into the intent bundle.
adb shell am start -n com.trendmicro.justademo/.MainActivity --es backgroundcolor ffffff
This attack will cause an exception in Cordova framework and force the app to close.
Figure 4. The app crashing due to exploitation
Possible Impact
So far we’ve been able to discover the following possible impact this vulnerability has to Cordova-based apps and its users:
- Tamper app appearance
- Inject popups and texts
- Inject splash screens
- Modify basic functionalities
- Crash the app
While this vulnerability affects apps, there is also a great risk of exploitation in thousands of Apache Cordova third-party plugins, especially since their functionalities are highly dependent on preferences.
Solutions
We privately disclosed this vulnerability to Apache, and they have released an official bulletin regarding this vulnerability. We suggest Android app developers upgrade their Cordova framework to the latest version (version 4.0.2) and rebuild to a new release. This will prevent apps from being modified by attackers targeting this vulnerability.
