A major security vulnerability in Apache Cordova could give attackers the ability to tamper with Android applications with just a single click.
The vulnerability, which was discovered by TrendMicro's Mobile Threat Research Team, affects Cordova-built Android applications that do not have explicit values set in a configuration file and gives an attacker the ability to set these values using an Intent. According to the security bulletin, "This can cause unwanted dialogs appearing in applications and changes in the application behaviour that can include the app force-closing."
All Cordova Android versions up to 4.0.1 are affected by the vulnerability, except for 3.7.2, and developers using Cordova to build Android applications are strongly encouraged to upgrade to the latest Cordova Android version, 4.0.2, which disables the ability for configuration variables to be set by Intent.
Additionally, developers of Cordova Android plugins are being told to use Cordova's Preferences API to deal with configuration values.
Security vulnerabilities can be easy to fix, but hard to address
While many security vulnerabilities have the potential to be harmful, many are not easily exploited. Unfortunately, that isn't the case here. Seven Shen, a Mobile Threats Analyst at TrendMicro, says that the Cordova Android vulnerability is problematic because many app developers don't explicitly set configuration variables that aren't needed. Additionally, developers are instructed to extend the CordovaAcvtivity class in their applications, and that class is linked to the issue.
In short, Shen believes the Cordova Android vulnerability is "highly exploitable because the conditions that need to be met for a successful exploit are common developer practices."
The bad news for developers affected by the vulnerability is that they will need to upgrade to a vulnerability-free version of Apache Cordova, rebuild their apps, and take action to distribute the updated app to users. Given Cordova's popularity and the fact that many mobile apps aren't actively maintained, there's no telling how many vulnerable apps will remain in the wild.
While TrendMicro disclosed the vulnerability privately to the Apache Cordova project, giving it time to develop and release a fix, the challenges in getting developers to upgrade and rebuild their apps highlights just how challenging it can be for providers of development platforms like Cordova to address security issues when they arise.