Skip to main content

Android apps open to hackers thanks to an Apache vulnerability

A significant vulnerability has been discovered, leaving one in 20 Android apps open for hackers.

Researchers at Trend Micro security firm say they've discovered vulnerability in the Apache Cordova app framework that allows attackers to modify the behaviour of apps just by clicking a URL.

“The extent of the modifications can range from causing nuisance for app users to crashing the apps completely. “

Apache Cordova is used in 5.6 per cent of all Android applications, and is used by developers to access native device functions, such as the camera or the accelerometer.

The vulnerability is said to stem from a glitch in the way the Apache Cordova framework handles app developer preferences.

"The vulnerability is found in a Cordova feature where secondary configuration variables (also known as 'preferences') could be set from intent bundles in the base activity," Trend Micro explains.

"Preferences are a set of variables reserved for developers to configure their apps. They are the sources of the build-in characteristics of Cordova-based apps and should be controlled only by app developers.

"Any tampering with these variables during runtime initialisation will certainly mess up the app's normal behaviour."

The flaw can be used for a number of purposes, and the most annoying one include adding pop-ups and splash screens to various apps.

Trend Micro has notified Apache of the vulnerability, and it has issued a security bulletin, confirming the problem and releasing an update to patch things up.

"We recommend that all Android applications built using Cordova 4.0.x or higher be upgraded to use version 4.0.2 of Cordova Android,” the company said.