Apache Cordova Cross-Application Scripting (XAS)
What is it?
A vulnerability affecting Android applications using Apache Cordova.
How does it work?
Malicious JavaScript code is executed within an app, breaking the platform sandbox protection mechanism and allowing information to be stolen.
Should I be worried?
Yes. Apache Cordova is used in 5.8 percent of Android applications.
How can I prevent it?
In order to prevent XAS, never allow user data to fully control the URL of the WebView object. In addition, activities incorrectly designated as exported should be non-exported in the Android Manifest file.Do not enable JavaScript or allow universal/file access from file URIs.
As for the specific Cordova vulnerability, apply the latest patches and updates to Android apps. Developers should rapidly implement and deploy available security fixes. Large companies should consider product security incident response teams responsible for tracking and notifying developers of vulnerabilities.
Roee Hay is application security research team lead at IBM X-Force.