IBM Support

PI21530: SECURITY VULNERABILITY WITH CORDOVA ON ANDROID

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • An exploitable security vulnerability exists in Cordova
    applications running on Android.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * End users of Worklight applications running on Android       *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * Hybrid or web based Android applications that were built     *
    * using the Cordova library at version 3.5 and below are       *
    * subject to a security exploit where an end user's private    *
    * data can be sent to a third party server. The exploit relies *
    * on stringing together a series of smaller vulnerabilities,   *
    * all of which have been fixed in Cordova versions 3.5 and     *
    * above. A summary of the attack is as follows:                *
    * 1. User visits a malicious website on the device's browser,  *
    * which secretly downloads a remote file                       *
    * 2. The malicious website opens a Cordova based application   *
    * targeting the malicious page                                 *
    * 3. The malicious page has full access to the Cordova APIs    *
    * and can steal and exfiltrate data                            *
    * Please see                                                   *
    * https://www.ibm.com/developerworks/community/blogs/worklight *
    * /entry/action_required_cordova_android_security_update?lang= *
    * en                                                           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * -                                                            *
    ****************************************************************
    

Problem conclusion

  • The issue was resolved in Cordova by ensuring that only the
    developer selected start page is used to start a Cordova app,
    thus preventing unauthorized access to the Cordova APIs.
    Technically this meant that Android intents can no longer
    specify the start and error pages of a Cordova application,
    however, this feature was never really supported or used in the
    first place. There were also improvements to the whitelist to
    prevent exfiltration of data, although exfiltration can only
    occur now if a user installs an already-compromised Cordova
    application. Finally, documentation was added to the open source
    community around using Content Security Policy to further secure
    applications. The fix can be applied by adding the ifix, and
    removing and then readding the Android environment to the
    Worklight project.
    
    
    Because the Cordova project does not backport fixes, we
    backported all of these changes to the various IBM-maintained
    Cordova Extended Support Release streams.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI21530

  • Reported component name

    WORKLIGHT CONSU

  • Reported component ID

    5725I4301

  • Reported release

    505

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-07-08

  • Closed date

    2015-02-02

  • Last modified date

    2015-02-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WORKLIGHT CONSU

  • Fixed component ID

    5725I4301

Applicable component levels

  • R505 PSY

       UP

  • R506 PSY

       UP

  • R600 PSY

       UP

  • R610 PSY

       UP

  • R620 PSY

       UP

  • R630 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"505","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 October 2021