This is a notification that you have multiple apps, listed below, built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.
….
Please note, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
Sure, after such a note from Big G, programmers, which use Apache Cordova (aka PhoneGap), are in a desperate need of upgrade to Cordova 3.5.1 or higher. For some, it might be a problem, as requires a lot of retesting.
Is there other way to mitigate or eliminate the problem? Let’s take a closer look on the issue.
The vulnerabilities in Cordova, which moved Google to act, were discovered by IBM team and published in Jule, 2014: http://www.slideshare.net/ibmsecurity/remote-exploitation-of-the-cordova-framework
The paper describes 3 vulnerabilities, and the CVE identifiers are:
• CVE-2014-3500: Cross-Application Scripting via Android Intents
• CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs
• CVE-2014-3502: Data Leak to Other Applications via Android Intent URIs
While all the vulnerabilities are dangerous and entertaining for every hackers or security analyst, it is CVE-2014-3500, which needs to be taken care of ASAP.
Here is the description of the problem:
The WebView object, provided by the Android Framework allows developers to embed a browser within their own apps. This functionality is great for developing portable apps and is the basis of Apache Cordova. The loaded web page of the WebView object is controlled by the WebView.loadUrl() API.
For example, in order to open a website, the developer can write the following code:
String url
= "http://www.mysite.com";
webView.loadUrl(url);
When the
application is first loaded, it calls the Cordova WebView activity’s loadUrl()
function which looks as follows:
public void loadUrl (String url) {
if( url.equals(”about:blank”) || url.startsWith(”javascript:”)) {
this.loadUrlNow(url);
} else {
String initUrl = this.getProperty (”url” , null);
// If first page of app , then set URL to load to be the one passed in
if (initUrl == null) {
this.loadUrlIntoView(url);
}
// Otherwise use the URL specified in the activity’s extras bundle
else {
this.loadUrlIntoView (initUrl);
}
}
}
One can see
that initUrl is populated from a call to getProperty("url", null)
which consists of the following code:
public void loadUrl (String url) {
if( url.equals(”about:blank”) || url.startsWith(”javascript:”)) {
this.loadUrlNow(url);
} else {
String initUrl = this.getProperty (”url” , null);
// If first page of app , then set URL to load to be the one passed in
if (initUrl == null) {
this.loadUrlIntoView(url);
}
// Otherwise use the URL specified in the activity’s extras bundle
else {
this.loadUrlIntoView (initUrl);
}
}
}
public
String getProperty (String name, String defaultValue) {
Bundle bundle = this.cordova. getActivity().getIntent().getExtras();
Bundle bundle = this.cordova.getActivity().getIntent().getExtras();
if (bundle == null) {
return defaultValue ;
}
Object p = bundle.get(name);
If (p == null ) {
return
defaultValue ;
}
return p.toString();
}
Just meditate here a little. As the url parameter is taken from getIntent().getExtras(), it can be provided externally. This presents a vulnerability which can be exploited whereby a malicious caller could launch the Activity with an Intent bundle that includes a url provided by the caller. The provided URL will then be loaded by Cordova and rendered in the WebView!
To fix it, find every exported Activity, that call WebView.loadUrl() API.
Locate the place where the Activity is instantiated and clean ‘url’ and ‘errorUrl’, provided by a caller. I skipped the part on errorUrl, but you can find it in the IBM paper, they are very similar.
You should add the following lines just before the first call of super.loadUrl():
super.setStringProperty("url", null);
super.setStringProperty("errorUrl",null);
=======================================================
Now you application is not vulnerable to CVE-2014-3500, and you won time to update to the latest Cordova version.
