Apache Cordova Android 3.5.1 Update

Updated: 2014-08-06 (The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)

Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.

When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:

@@ -114,6 +116,26 @@

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL loading

+ +

Severity: Medium

+ +

Vendor: The Apache Software Foundation

+ +

Versions Affected: Cordova Android versions up to 3.5.0

+ +

Description: Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network.

+ +

The latest release of Cordova Android takes steps to block explicit Android intent urls, so that they can no longer be used to start arbitrary applications on the device.

+ +

Implicit intents, including URLs with schemes such as âtelâ, âgeoâ, and âsmsâ can still be used to open external applications by default, but this behaviour can be overridden by plugins.

+ +

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1.

+ +

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

+ +

(This notice originally read as follows:)

CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android intent URLs

Severity: Medium

Added: cordova/site/public/announcements/2014/08/06/android-351-update.html URL: http://svn.apache.org/viewvc/cordova/site/public/announcements/2014/08/06/android-351-update.html?rev=1616301&view=auto ============================================================================== --- cordova/site/public/announcements/2014/08/06/android-351-update.html (added) +++ cordova/site/public/announcements/2014/08/06/android-351-update.html Wed Aug 6 18:52:05 2014 @@ -0,0 +1,171 @@ + + + + + + + + + + + Apache Cordova Android 3.5.1 Update + + + + + + + + + + + + + + + + +

+ + +

Apache Cordova Android 3.5.1 Update

Posted by: Ian Clelland

06 Aug 2014

+ +

On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasnât quite right, so weâve amended it.

+ +

You can read the amended blog post here.

+ +

The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldnât load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to âphone homeâ with the userâs data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1.

+ +

In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious URLs, but will still open links like sms:, mailto:, or geo: in their default applications. (It is, after all, a useful feature, and there are many published applications which rely on that behaviour.) If you want to restrict that even further, you can use Cordova plugins to customize which URLs can be loaded, and which URLs will be blocked completely.

+ +

As a very simple example of this, I have published a sample plugin which blocks all external applications from loading. To use it, install it like

+ +

cordova plugin add net.iclelland.external-app-block

+ +

or feel free to clone it from GitHub and tweak it to suit your needs.

+ +

Weâre hoping to have a more flexible solution built in to Cordova with the next release, but in the meantime, the plugin system is powerful enough to allow you to control this for your apps yourself.

+ +

+ + + + +

+ +

Quick Links

+
+

General
Development
Apache Software Foundation

+ +

+ + +

+ + + + + Modified: cordova/site/public/blog/index.html URL: http://svn.apache.org/viewvc/cordova/site/public/blog/index.html?rev=1616301&r1=1616300&r2=1616301&view=diff ============================================================================== --- cordova/site/public/blog/index.html (original) +++ cordova/site/public/blog/index.html Wed Aug 6 18:52:05 2014 @@ -69,6 +69,11 @@

+ 06 Aug 2014 » + Apache Cordova Android 3.5.1 Update +
04 Aug 2014 » Apache Cordova Android 3.5.1

News Subscribe

06 Aug 2014 » Apache Cordova Android 3.5.1 Update + +
On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasnât quite right, so weâve amended it.
+ +
You can read the amended blog post here.
+ +
The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldnât load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to âphone homeâ with the userâs data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1.
+ +
Read More
+
04 Aug 2014 » Apache Cordova Android 3.5.1 +
Updated: 2014-08-06 (The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)
+
Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.

When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:
@@ -160,39 +172,6 @@ npm install -g plugman
Read More
-
08 Jul 2014 » Plugins Release: July 8, 2014 - -
The following plugins were updated today:
- -
- cordova-plugin-contacts: 0.2.11
- cordova-plugin-network-information: 0.2.10
- -
Notable changes include:
- -
- The network-information plugin no longer crashes immediately if no network is available
- navigator.contacts.pickContact API has been added for Android, iOS, Windows Phone 8 and Windows 8 platforms
- navigator.contacts.find API on Android, iOS and Windows Phone 8 now supports desiredFields which specifies contact fields to be returned
- Contacts on Firefox OS no longer requires manual change of the application permissions
- -
The plugins have been updated on our registry at plugins.cordova.io.
-
-
You can update any plugin by removing it, and then re-adding it. E.g. To update your contacts plugin:
- -
```
cordova plugin rm org.apache.cordova.contacts
-cordova plugin add org.apache.cordova.contacts
```
- -
Other changes include:
- -
Read More
-

Modified: cordova/site/public/rss.xml URL: http://svn.apache.org/viewvc/cordova/site/public/rss.xml?rev=1616301&r1=1616300&r2=1616301&view=diff ============================================================================== --- cordova/site/public/rss.xml (original) +++ cordova/site/public/rss.xml Wed Aug 6 18:52:05 2014 @@ -5,8 +5,8 @@ Apache Cordova - Apache Cordova is a set of device APIs that allow a web mobile app developer to access native device function from JavaScript. http://cordova.apache.org/rss.xml - Mon, 04 Aug 2014 14:34:03 -0700 - Mon, 04 Aug 2014 14:34:03 -0700 + Wed, 06 Aug 2014 14:35:38 -0400 + Wed, 06 Aug 2014 14:35:38 -0400 1800 http://cordova.apache.org @@ -19,8 +19,34 @@ + Apache Cordova Android 3.5.1 Update + +On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasnât quite right, so weâve amended it. + +You can read the amended blog post <a href="http://cordova.apache.org/announcements/2014/08/04/android-351.html">here</a>. + +The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldnât load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to âphone homeâ with the userâs data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1. + +In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious URLs, but will still open links like <code>sms:</code>, <code>mailto:</code>, or <code>geo:</code> in their default applications. (It is, after all, a useful feature, and there are many published applications which rely on that behaviour.) If you want to restrict that even further, you can use Cordova plugins to customize which URLs can be loaded, and which URLs will be blocked completely. + +As a very simple example of this, I have published a sample plugin which blocks all external applications from loading. To use it, install it like + +<pre><code>cordova plugin add net.iclelland.external-app-block</code></pre> + +or feel free to clone it from <a href="https://github.com/clelland/cordova-plugin-external-app-block">GitHub</a> and tweak it to suit your needs. + +Weâre hoping to have a more flexible solution built in to Cordova with the next release, but in the meantime, the plugin system is powerful enough to allow you to control this for your apps yourself. + + http://cordova.apache.org/announcements/2014/08/06/android-351-update.html + http://cordova.apache.org/announcements/2014/08/06/android-351-update + Wed, 06 Aug 2014 + + + Apache Cordova Android 3.5.1 +Updated: 2014-08-06 (The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem) + Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update. When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is: @@ -65,6 +91,26 @@ Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems. <hr /> +CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL loading + +Severity: Medium + +Vendor: The Apache Software Foundation + +Versions Affected: Cordova Android versions up to 3.5.0 + +Description: Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network. + +The latest release of Cordova Android takes steps to block explicit Android intent urls, so that they can no longer be used to start arbitrary applications on the device. + +Implicit intents, including URLs with schemes such as âtelâ, âgeoâ, and âsmsâ can still be used to open external applications by default, but this behaviour can be overridden by plugins. + +Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1. + +Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems. + +(This notice originally read as follows:) + CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android intent URLs Severity: Medium Modified: cordova/site/www/_posts/2014-08-04-android-351.md URL: http://svn.apache.org/viewvc/cordova/site/www/_posts/2014-08-04-android-351.md?rev=1616301&r1=1616300&r2=1616301&view=diff ============================================================================== --- cordova/site/www/_posts/2014-08-04-android-351.md (original) +++ cordova/site/www/_posts/2014-08-04-android-351.md Wed Aug 6 18:52:05 2014 @@ -8,6 +8,9 @@ categories: announcements tags: news releases security --- +**Updated: 2014-08-06** +(The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem) + Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update. When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is: @@ -95,6 +98,47 @@ This issue was discovered by David Kapla ____ +CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL +loading + + +Severity: Medium + +Vendor: +The Apache Software Foundation + +Versions Affected: +Cordova Android versions up to 3.5.0 + +Description: +Android applications built with the Cordova framework can launch other +applications through the use of anchor tags, or by redirecting the webview to +an Android intent URL. An attacker who can manipulate the HTML content of a +Cordova application can create links which open other applications and send +arbitrary data to those applications. An attacker who can run arbitrary +JavaScript code within the context of the Cordova application can also set the +document location to such a URL. By using this in concert with a second, +vulnerable application, an attacker might be able to use this method to send +data from the Cordova application to the network. + +The latest release of Cordova Android takes steps to block explicit Android +intent urls, so that they can no longer be used to start arbitrary applications +on the device. + +Implicit intents, including URLs with schemes such as "tel", "geo", and "sms" +can still be used to open external applications by default, but this behaviour +can be overridden by plugins. + +Upgrade path: +Developers who are concerned about this should rebuild their applications with +Cordova Android 3.5.1. + +Credit: +This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems. + + +(This notice originally read as follows:) + CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android intent URLs Added: cordova/site/www/_posts/2014-08-06-android-351-update.md URL: http://svn.apache.org/viewvc/cordova/site/www/_posts/2014-08-06-android-351-update.md?rev=1616301&view=auto ============================================================================== --- cordova/site/www/_posts/2014-08-06-android-351-update.md (added) +++ cordova/site/www/_posts/2014-08-06-android-351-update.md Wed Aug 6 18:52:05 2014 @@ -0,0 +1,27 @@ +--- +layout: post +author: + name: Ian Clelland + url: https://twitter.com/iclelland +title: "Apache Cordova Android 3.5.1 Update" +categories: announcements +tags: news releases security +--- + +On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasn't quite right, so we've amended it. + +You can read the amended blog post [here](http://cordova.apache.org/announcements/2014/08/04/android-351.html). + +The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldn't load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to "phone home" with the user's data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1. + + + +In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious URLs, but will still open links like `sms:`, `mailto:`, or `geo:` in their default applications. (It is, after all, a useful feature, and there are many published applications which rely on that behaviour.) If you want to restrict that even further, you can use Cordova plugins to customize which URLs can be loaded, and which URLs will be blocked completely. + +As a very simple example of this, I have published a sample plugin which blocks all external applications from loading. To use it, install it like + + cordova plugin add net.iclelland.external-app-block + +or feel free to clone it from [GitHub](https://github.com/clelland/cordova-plugin-external-app-block) and tweak it to suit your needs. + +We're hoping to have a more flexible solution built in to Cordova with the next release, but in the meantime, the plugin system is powerful enough to allow you to control this for your apps yourself.