Android Platform Release: 04 Aug 2014 Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update. The security issues are CVE-2014-3500, CVE-2014-3501, and CVE-2014-3502. For your convenience, the text of these CVEs is included here. A blog post is available at http://cordova.apache.org/#news CVE-2014-3500: Cordova cross-application scripting via Android intent URLs Severity: High Vendor: The Apache Software Foundation Versions Affected: Cordova Android versions up to 3.5.0 Description: Android applications built with the Cordova framework can be launched through a special intent URL. A specially-crafted URL could cause the Cordova-based application to start up with a different start page than the developer intended, including other HTML content stored on the Android device. This has been the case in all released versions of Cordova up to 3.5.0, and has been fixed in the latest release (3.5.1). We recommend affected projects update their applications to the latest release. Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1. Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems. CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs Severity: Medium Vendor: The Apache Software Foundation Versions Affected: All released Cordova Android versions Description: Android applications built with the Cordova framework use a WebView component to display content. Cordova applications can specify a whitelist of URLs which the application will be allowed to display, or to communicate with via XMLHttpRequest. This whitelist, however, is not used by the WebView component when it is directed via JavaScript to communicate over non-http channels. Specifically, it can be possible to open a WebSocket connection from the application JavaScript which will connect to any reachable server on the Internet. If an attacker is able to execute arbitrary JavaScript within the application, then that attacker can cause a connection to be opened to any server, bypassing the HTTP whitelist. This is a limitation of the hybrid app architecture on Android in general, and not specific to Apache Cordova. It is possible to mitigate this attack vector by adding a CSP meta tag to all HTML pages in the application, to allow connections only to trusted sources. App developers should also upgrade to Cordova Android 3.5.1, to reduce the risk of XAS attacks against their applications, which could then use this mechanism to reach unintended servers. See CVE-2014-3500 for more information on a possible XAS vulnerability. Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1, and consider adding CSP meta tags to their application HTML. Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems. CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android intent URLs Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Cordova Android versions up to 3.5.0 Description: Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network. The latest release of Cordova Android takes steps to block explicit Android intent urls, so that they can no longer be used to start arbitrary applications on the device. Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1. Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.