From 24a95cd19813dd95cbe9b6ce2532253e33b33132 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 22 Jul 2025 01:44:59 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/mobile-pentesting/cordova-apps... --- src/mobile-pentesting/cordova-apps.md | 79 ++++++++++++++++++++++++++- 1 file changed, 76 insertions(+), 3 deletions(-) diff --git a/src/mobile-pentesting/cordova-apps.md b/src/mobile-pentesting/cordova-apps.md index bc415c084..69711e119 100644 --- a/src/mobile-pentesting/cordova-apps.md +++ b/src/mobile-pentesting/cordova-apps.md @@ -60,7 +60,80 @@ This command generates an APK with the debug option enabled, facilitating debugg For those seeking to automate the cloning process, **[MobSecco](https://github.com/Anof-cyber/MobSecco)** is a recommended tool. It streamlines the cloning of Android applications, simplifying the steps outlined above. +--- + +## Security Risks & Recent Vulnerabilities (2023-2025) + +Cordova’s plugin-based architecture means that **most of the attack surface sits inside third-party plugins and the WebView bridge**. The following issues have been actively exploited or publicly disclosed in the last few years: + +* **Malicious NPM Packages.** In July 2024 the package `cordova-plugin-acuant` was removed from the NPM registry after it was discovered dropping malicious code during installation (OSV-ID MAL-2024-7845). Any developer machine that executed `npm install cordova-plugin-acuant` should be considered compromised. Audit `package.json`/`package-lock.json` for unexpected Cordova plugins and pin trusted versions. [OSV advisory](/) +* **Unvalidated Deeplinks → XSS/RCE.** `CleverTap Cordova Plugin ≤ 2.6.2` (CVE-2023-2507) fails to sanitise deeplink input, allowing an attacker to inject arbitrary JavaScript that executes in the main WebView context when a crafted link is opened. Update to ≥ 2.6.3 or strip untrusted URI parameters at runtime. [CVE-2023-2507](/) +* **Out-of-Date Platform Code.** `cordova-android` ≤ 12 ships with targetSdk 33 or lower. Beginning May 2024 Google Play requires API 34, and several WebView hardening features (e.g. auto-generated `exported="false"` for components) are only present in API 34+. Upgrade to `cordova-android@13.0.0` or later. + +### Quick checks during a pentest + +1. **Look for `android:debuggable="true"`** in the decompiled `AndroidManifest.xml`. Debuggable builds expose the WebView over `chrome://inspect` allowing full JS injection. +2. Review `config.xml` for overly permissive `` tags or missing CSP meta-tags in `www/index.html`. +3. Grep `www/` for `eval(`, `new Function(` or dynamically-constructed HTML that could turn CSP bypasses into XSS. +4. Identify embedded plugins in `plugins/` and run `npm audit --production` or `osv-scanner --lockfile` to find known CVEs. + +--- + +## Dynamic Analysis Tips + +### Remote WebView Debugging + +If the application has been compiled in **debug** mode (or explicitly calls `WebView.setWebContentsDebuggingEnabled(true)`), you can attach Chrome DevTools: + +```bash +adb forward tcp:9222 localabstract:chrome_devtools_remote +google-chrome --new-window "chrome://inspect/#devices" +``` + +This gives you a live JavaScript console, DOM inspector and the ability to overwrite JavaScript functions at runtime – extremely handy for bypassing client-side logic. (See Google’s official documentation for more details.) + +### Hooking the JS ⇄ Native bridge with Frida + +The Java-side entry point of most plugins is `org.apache.cordova.CordovaPlugin.execute(...)`. Hooking this method lets you monitor or tamper with calls made from JavaScript: + +```javascript +// frida -U -f com.vulnerable.bank -l hook.js --no-pause +Java.perform(function () { + var CordovaPlugin = Java.use('org.apache.cordova.CordovaPlugin'); + CordovaPlugin.execute.overload('java.lang.String','org.json.JSONArray','org.apache.cordova.CallbackContext').implementation = function(act, args, ctx) { + console.log('[Cordova] ' + act + ' => ' + args); + // Tamper the first argument of a sensitive action + if (act === 'encrypt') { + args.put(0, '1234'); + } + return this.execute(act, args, ctx); + }; +}); +``` + +--- + +## Hardening Recommendations (2025) + +* **Update to the latest platform:** `cordova-android@13` (May 2024) targets API 34 and brings new WebView mitigations. +* **Remove debug artifacts:** Ensure `android:debuggable="false"` and avoid calling `setWebContentsDebuggingEnabled` in release builds. +* **Enforce a strict CSP & AllowList:** Add a `` tag in every HTML file and restrict `` origins in `config.xml`. + Example minimal CSP that blocks inline scripts: + ```html + + ``` +* **Disable clear-text traffic:** In `AndroidManifest.xml` set `android:usesCleartextTraffic="false"` and/or provide a [network-security-config] that enforces TLS. +* **Plugin hygiene:** + * Pin plugin versions with `npm ci` and commit the generated `package-lock.json`. + * Periodically run `npm audit`, `osv-scanner` or `cordova-check-plugins`. +* **Obfuscation:** Minify JavaScript with Terser/UglifyJS and remove source maps from production builds to slow down casual reversing. + +--- + +## References + +* Apache Cordova – Cordova-Android 13.0.0 release notes (May 2024) +* OSV-ID MAL-2024-7845 – Malicious code in `cordova-plugin-acuant` +* CVE-2023-2507 – CleverTap Cordova Plugin deeplink XSS + {{#include ../banners/hacktricks-training.md}} - - -