Frameworks like Apache Cordova enables software programmers to build hybrid applications for mobile devices. The applications can be built using CSS3, HTML5, and JavaScript, that is then wrapped inside a thin native container that provides access to native platform features. This facilitates programmers to create cross-platform mobile applications that work on multiple devices. Though it is easier and cost effective to build such applications, but at the same time there is a major threat to security of application. Applications make extensive use of web views, due to which applications are vulnerable to potential reverse engineering exploits. Cordova applications rely on web technologies like HTML and JavaScript which can be easily tweaked and security of the application can be compromised.

Now let us look at the working of Cordova framework.

Cordova Framework allows programmers to build applications using HTML, CSS and JavaScript. The application is then wrapped in a native container which are compatible with multiple platforms. Applications use WebView which serves as the user interface of Cordova application that conquers the entire screen and runs in the native container. Apache Cordova preserve a set of plugins which enables the application to access device capabilities such as camera, GPS, contacts etc. Application that uses Cordova framework can be installed on multiple platforms viz android, IOS and Windows.

Firstly, Cordova application loads index.html in a WebView. All Cordova applications consist of index.html file. After loading index.html, application invokes different plugins and functions through event handlers. Since the functioning of the application is dependent on html file, it can be easily tweaked by an attacker, which is a major security threat to such application.

Let’s look at the demonstration of entire attack.

First decompile the apk using apktool as shown below:

Using text editor, open ‘index.html’ file.

Now let’s modify this html file and add any arbitrary Javascript element to it as indicated below:

We can also attempt to load Malicious Javascripts that are hosted on external sites, as indicated below:

We are now ready to recompile the files to apk using apktool as shown below:

We will now sign the modified apk using “dex2jar” utility so that we can obtain signed-apk which can be then installed on mobile phone.

The app now loads with our malicious javascripts, as shown below:

This way such applications can be tweaked by injecting malicious JavaScripts. The malicious script can be used to carry out attacks like redirecting users to malicious webpage, stealing valid user’s session token or other data, loading JavaScript malware which can infect the device etc.

Though such applications will remain vulnerable to such reverse engineering hacks; however, some basic protection can still be enabled.

One way to prevent Cordova application from loading malicious Javascripts that are hosted on external sites, is to use a Cordova whitelist plugin. It is used to restrict access only to valid application domains.

Refer the below link to understand the implementation of the plugin:

https://cordova.apache.org/docs/en/latest/guide/appdev/whitelist/

For Example, insert the URL of the allowed domain in the ‘access origin’ tag in config.xml file as shown below:

Frameworks like Cordova are designed in such a way that security threats of this kind will exist. It is therefore, essential to be extremely cautious in selecting the correct framework for your application.

Tools used:

1. dex2jar: https://code.google.com/p/dex2jar/
2. apktool: https://ibotpeaches.github.io/Apktool/

References:

https://cordova.apache.org/

https://cordova.apache.org/docs/en/latest/guide/appdev/whitelist/

The post How frameworks like Cordova leave an inherent security hole in Mobile Apps appeared first on SynRadar.