Blog RSS Feed

Apache Cordova Android 4.0.2 and 3.7.2 released
26 May 2015

A major Security issue were discovered in the Android platform of Cordova. We are releasing version 4.0.2 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova 4.0.x or higher be upgraded to use version 4.0.2 of Cordova Android. If you are using an older version of Cordova, we have also released 3.7.2 with the same fix, and we recommend that you at upgrade your project to either of these fixed versions. Other Cordova platforms such as iOS are unaffected, and do not have an update.

When using the Cordova CLI, the command to use 4.0.2 of Cordova Android is:

cordova platform add android@4.0.2

and the command to use 3.7.2 is:

cordova platform add android@3.7.2

The security issue is CVE-2015-1835

For your convenience, the text of the CVE is included here.

CVE-2015-1835: Remote exploit of secondary configuration variables in Apache Cordova on Android

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: Cordova Android versions up to 4.0.1 (3.7.2 Excluded)

Description: Android applications built with the Cordova framework that don't have explicit values set in Config.xml can have undefined configuration variables set by Intent. This can cause unwanted dialogs appearing in applications and changes in the application behaviour that can include the app force-closing.

The latest release of Cordova Android entirely removes the ability of configuration parameters to be set by intents. This change is an API change in the platform, and third-party plugins that use values set in the config.xml should make sure that they use the preferences API instead of relying on the Intent bundle, whcih can be manipulated in this case.

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 4.0.2. Developers unable to upgrade to 4.0.2 also have the option of upgrading to Cordova Android 3.7.2. Developers should also make sure that variables that they wish to have protected are specified in their config.xml.

Credit: This issue was discovered by Seven She from TrendMicro Mobile Threat Research Team (TRT)