Skip to main content

Android apps open to hackers thanks to an Apache vulnerability

A significant vulnerability has been discovered, leaving one in 20 Android apps open for hackers.

Researchers at Trend Micro (opens in new tab) security firm say they've discovered vulnerability in the Apache Cordova app framework that allows attackers to modify the behaviour of apps just by clicking a URL.

“The extent of the modifications can range from causing nuisance for app users to crashing the apps completely. “

Apache Cordova is used in 5.6 per cent of all Android applications, and is used by developers to access native device functions, such as the camera or the accelerometer.

The vulnerability is said to stem from a glitch in the way the Apache Cordova framework handles app developer preferences.

"The vulnerability is found in a Cordova feature where secondary configuration variables (also known as 'preferences') could be set from intent bundles in the base activity," Trend Micro explains.

"Preferences are a set of variables reserved for developers to configure their apps. They are the sources of the build-in characteristics of Cordova-based apps and should be controlled only by app developers.

"Any tampering with these variables during runtime initialisation will certainly mess up the app's normal behaviour."

The flaw can be used for a number of purposes, and the most annoying one include adding pop-ups and splash screens to various apps.

Trend Micro has notified Apache of the vulnerability, and it has issued a security bulletin, confirming the problem and releasing an update to patch things up.

"We recommend that all Android applications built using Cordova 4.0.x or higher be upgraded to use version 4.0.2 of Cordova Android,” the company said.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.