Apache Cordova Security Vulnerabilities and Platform Overview

What is Apache Cordova?

Apache Cordova (formerly PhoneGap) is a framework for developing mobile apps for Android, iOS, Blackberry, Windows Phone, Ubuntu and Firefox OS. With Apache Cordova, developers can create apps using standard tech: HTML for organization and structure, CSS for design, and JavaScript for logic and anything else.

Development in Cordova is similar to the development needed to build a web page as HTML, CSS and JS all combine to create a webview that is wrapped in Cordova.

Applications developed using Cordova are known as Hybrid apps as they are not developed to be native to one specific mobile operating system such as iOS or Android.

Cordova applications are not only faster, and simpler to develop, but they’re also much easier to maintain as you’re only dealing with one codebase, rather than multiple platform specific ones. Once development is finished on, you can add additional platforms with one line of code. As a result, lots of applications, both commercial and non, are built using this methodology.

Hybrid apps are web applications behind a native shell and because of this, only one application needs to be developed as it is able to adapt and adopt to both Android and iOS devices. Most hybrid applications are built using cross-compatible web technologies such as HTML5, CSS and Javascript. Hybrid development is enabled by such platforms as Cordova (and Cordova-based tools such as PhoneGap), Appcelerator Titanium and Xamarin.

Apache Cordova Architecture

Who should use Apache Cordova for Development

For developers, choosing between a hybrid and native development methodology can be confusing. According to the Apache Cordova website, you should choose this as your methodology if you are:

  • a mobile developer and want to extend an application across more than one platform, without having to re-implement it with each platform’s language and tool set.
  • a web developer and want to deploy a web app that’s packaged for distribution in various app store portals.
  • a mobile developer interested in mixing native application components with a WebView (special browser window) that can access device-level APIs, or if you want to develop a plugin interface between native and WebView components.

Security Concerns for Hybrid Applications

Cordova applications are not exempt to vulnerabilities, especially if they contain poorly written code.

Cordova apps make extensive use of web views, which can leave the application open to potential exploits if not the code is not properly secured, any attack which is specific to JavaScript, or HTML, is also a threat to hybrid applications and vulnerabilities related to the backend API are also common.

While not a completely bulletproof solution against attacks against your app, one way to minimize the threat is by only working with secure frameworks with built-in security controls. Additionally, reverse engineering and man-in-the-middle attacks also threaten hybrid applications.

Common Attacks that Threaten Cordova Applications

  • JavaScript Injection (due to use of JS and HTML)
  • Weak SSL implementation (same as native)
  • Caching issues

Cordova applications are simpler to develop and they’re also much easier to maintain as you’re only dealing with one codebase, rather than multiple platform specific ones. Once development is finished on, you can add additional platforms with one line of code. As a result, lots of applications, both commercial and not, are built using this methodology.

Mobile Security

As the content consumed around the globe shifts even further from web-based content to content consumed on mobile, it’s critical that anyone developing software for mobile devices is committing to proper security throughout the development cycle.

“Over 7 billion mobile devices are being used today all around the world and their number is multiplying 5 times faster than human beings,” said Emmanuel Benzaquen, CEO of Checkmarx. “With the huge amounts of private information being transferred worldwide through these devices, the need for strong mobile security has become paramount. Mobile application security is a huge challenge and only robust application code can help organizations provide the users with the security they need, expect and deserve.

Apache Cordova Security Vulnerabilities

HTML5 Security Vulnerabilities in JavaScript:

  • Medium Threat: Client HTML5 Information Exposure
  • Medium Threat: Client HTML5 Insecure Storage
  • Medium Threat: Client HTML5 Store Sensitive data In Web Storage
  • Low Visibility: Client HTML5 Easy To Guess Database Name
  • Low Visibility: Client HTML5 Heuristic Session Insecure Storage

Securing your Apache Cordova Apps

Checkmarx’s CxSAST, a static code analysis solution, stands out amongst Apache Cordova testing solutions as not only the solution which will keep your Apache Cordova apps free from security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.

CxSAST works with the tools your developers are already using as it seamlessly integrates with most of the common development programs available at every stage of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment.

When vulnerabilities are detected in the Apache Cordova code, CxSAST will not only identify the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.

Want to learn more about Android vulnerabilities, why they happen, and how to eliminate them? Click for a tutorial and start sharpening your skills!