Vulnerability that Might Expose Nearly 5.8% of Android Apps

Apache Cordova

The IBM Security X-Force Research team has uncovered a serious vulnerability. It affects many Android applications built on the Apache Cordova (previously PhoneGap) platform. According to AppBrain, this affects 5.8 percent of Android apps. While 5.8 percent might sound like a low percentage, some widely-used Android applications are built on Cordova. Researchers found that out of the 248 applications tested containing the keyword “bank,” 25 apps were built using Cordova — roughly 10 percent. This means an attacker could steal users’ banking credentials and perform transactions. such as withdrawing or transferring funds from their bank account to another account.+

Intelligence Index

Those millions of users who use Android Cordova-based apps are at risk of having sensitive information stolen. This would allow attackers to impersonate them, access their accounts and even make purchases on their behalf. IBM’s Cyber Security Intelligence Index finding that 95 percent of successful attacks or security incidents were caused by human error. Hackers continue to aggressively seek out such vulnerabilities to exploit.+

Before announcing this vulnerability, IBM Security’s team adhered to its responsible disclosure policy and privately reported security vulnerabilities to the Cordova team. The result is that patches are available in the latest Cordova version 3.5.1.+

Analysis

The IBM team’s analysis shows it is extremely easy for an attacker to exploit this vulnerability. Under certain circumstances, it can also be remotely exploited to steal sensitive information. Cookies associated with the Cordova-based application, by naïve mobile browsing to a malicious website (better known as a drive-by exploitation).+

The Apache Cordova vulnerabilities enable Cross-Application Scripting. The execution of a malicious JavaScript (JS) code in the context of Cordova-based apps. In addition, due to other vulnerabilities that we have detected within Cordova, such code can exfiltrate information back to the attacker.+

We strongly recommend that all developers upgrade to the latest Cordova version (3.5.1) and use themitigation detailed in our white paper.+

Since IBM Worklight uses Apache Cordova, it is affected as well. We at IBM are committed to the security of our clients; thus, fixes to address this security exposure in Worklight have been published to Fix Central for our 5.0.6.x, 6.0.0.x, 6.1.0.x and 6.2.0.x releases.+

A typical attack will be as follows:

Consider Bob, a user of the fictitious bank Altoro Mutual, which is known for its low security standards. Bob has Altoro’s app installed on his Android device. He recently used this app to access his Altoro bank account. Mallory, the attacker, who is eager to get some money from Bob, has managed to lure Bob to browse her malicious website through a well-crafted phishing email. Alternately, Mallory could have exploited an existing XSS vulnerability in a popular website in order to run malicious JavaScript code in Bob’s browser. This malicious JavaScript can then exploit the Cordova vulnerabilities to steal Bob’s Altoro Mutual login credentials and other sensitive information found in Altoro’s app. From this point forward, Mallory can impersonate Bob at Altoro Mutual by using the stolen credentials. They can then perform transactions, such as funds withdrawals, from his Altoro bank account.

Reference : IBM Security

http://securityintelligence.com/apache-cordova-phonegap-vulnerability-android-banking-apps/#.U_etGkvCWIw