Apache Cordova Android 3.5.1

Posted by: Marcel Kinard

04 Aug 2014

Updated: 2014-08-06 (The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)

Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.

When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:

cordova platform add android@3.5.1 --usenpm

The security issues are CVE-2014-3500, CVE-2014-3501, and CVE-2014-3502.

For your convenience, the text of these CVEs is included here.


CVE-2014-3500: Cordova cross-application scripting via Android intent URLs

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: Cordova Android versions up to 3.5.0

Description: Android applications built with the Cordova framework can be launched through a special intent URL. A specially-crafted URL could cause the Cordova-based application to start up with a different start page than the developer intended, including other HTML content stored on the Android device. This has been the case in all released versions of Cordova up to 3.5.0, and has been fixed in the latest release (3.5.1). We recommend affected projects update their applications to the latest release.

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1.

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.


CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: All released Cordova Android versions

Description: Android applications built with the Cordova framework use a WebView component to display content. Cordova applications can specify a whitelist of URLs which the application will be allowed to display, or to communicate with via XMLHttpRequest. This whitelist, however, is not used by the WebView component when it is directed via JavaScript to communicate over non-http channels.

Specifically, it can be possible to open a WebSocket connection from the application JavaScript which will connect to any reachable server on the Internet. If an attacker is able to execute arbitrary JavaScript within the application, then that attacker can cause a connection to be opened to any server, bypassing the HTTP whitelist.

This is a limitation of the hybrid app architecture on Android in general, and not specific to Apache Cordova.

It is possible to mitigate this attack vector by adding a CSP meta tag to all HTML pages in the application, to allow connections only to trusted sources. App developers should also upgrade to Cordova Android 3.5.1, to reduce the risk of XAS attacks against their applications, which could then use this mechanism to reach unintended servers. See CVE-2014-3500 for more information on a possible XAS vulnerability.

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1, and consider adding CSP meta tags to their application HTML.

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.


CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL loading

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: Cordova Android versions up to 3.5.0

Description: Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network.

The latest release of Cordova Android takes steps to block explicit Android intent urls, so that they can no longer be used to start arbitrary applications on the device.

Implicit intents, including URLs with schemes such as “tel”, “geo”, and “sms” can still be used to open external applications by default, but this behaviour can be overridden by plugins.

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1.

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

(This notice originally read as follows:)

CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android intent URLs

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: Cordova Android versions up to 3.5.0

Description: Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network.

The latest release of Cordova Android takes steps to block explicit Android intent urls, so that they can no longer be used to start arbitrary applications on the device.

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1.

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.