maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1169 from HackTricks-wiki/research_update_src_mobile-pentesting_cordova-apps_20250722_014118

Browse Source 
Research Update Enhanced src/mobile-pentesting/cordova-apps....
This commit is contained in:
SirBroccoli 2025-07-22 20:02:04 +02:00 committed by GitHub
commit cc48228a9d
1 changed files with 76 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
src/mobile-pentesting/cordova-apps.md
View File

@ -60,7 +60,80 @@ This command generates an APK with the debug option enabled, facilitating debugg
For those seeking to automate the cloning process, **[MobSecco](https://github.com/Anof-cyber/MobSecco)** is a recommended tool. It streamlines the cloning of Android applications, simplifying the steps outlined above. For those seeking to automate the cloning process, **[MobSecco](https://github.com/Anof-cyber/MobSecco)** is a recommended tool. It streamlines the cloning of Android applications, simplifying the steps outlined above.
---
## Security Risks & Recent Vulnerabilities (2023-2025)
Cordovas plugin-based architecture means that **most of the attack surface sits inside third-party plugins and the WebView bridge**. The following issues have been actively exploited or publicly disclosed in the last few years:
* **Malicious NPM Packages.** In July 2024 the package `cordova-plugin-acuant` was removed from the NPM registry after it was discovered dropping malicious code during installation (OSV-ID MAL-2024-7845). Any developer machine that executed `npm install cordova-plugin-acuant` should be considered compromised. Audit `package.json`/`package-lock.json` for unexpected Cordova plugins and pin trusted versions. [OSV advisory](/)
* **Unvalidated Deeplinks → XSS/RCE.** `CleverTap Cordova Plugin ≤ 2.6.2` (CVE-2023-2507) fails to sanitise deeplink input, allowing an attacker to inject arbitrary JavaScript that executes in the main WebView context when a crafted link is opened. Update to ≥ 2.6.3 or strip untrusted URI parameters at runtime. [CVE-2023-2507](/)
* **Out-of-Date Platform Code.** `cordova-android` ≤ 12 ships with targetSdk 33 or lower. Beginning May 2024 Google Play requires API 34, and several WebView hardening features (e.g. auto-generated `exported="false"` for components) are only present in API 34+. Upgrade to `cordova-android@13.0.0` or later.
### Quick checks during a pentest
1. **Look for `android:debuggable="true"`** in the decompiled `AndroidManifest.xml`. Debuggable builds expose the WebView over `chrome://inspect` allowing full JS injection.
2. Review `config.xml` for overly permissive `<access origin="*">` tags or missing CSP meta-tags in `www/index.html`.
3. Grep `www/` for `eval(`, `new Function(` or dynamically-constructed HTML that could turn CSP bypasses into XSS.
4. Identify embedded plugins in `plugins/` and run `npm audit --production` or `osv-scanner --lockfile` to find known CVEs.
---
## Dynamic Analysis Tips
### Remote WebView Debugging
If the application has been compiled in **debug** mode (or explicitly calls `WebView.setWebContentsDebuggingEnabled(true)`), you can attach Chrome DevTools:
```bash
adb forward tcp:9222 localabstract:chrome_devtools_remote
google-chrome --new-window "chrome://inspect/#devices"
```
This gives you a live JavaScript console, DOM inspector and the ability to overwrite JavaScript functions at runtime extremely handy for bypassing client-side logic. (See Googles official documentation for more details.)
### Hooking the JS ⇄ Native bridge with Frida
The Java-side entry point of most plugins is `org.apache.cordova.CordovaPlugin.execute(...)`. Hooking this method lets you monitor or tamper with calls made from JavaScript:
```javascript
// frida -U -f com.vulnerable.bank -l hook.js --no-pause
Java.perform(function () {
var CordovaPlugin = Java.use('org.apache.cordova.CordovaPlugin');
CordovaPlugin.execute.overload('java.lang.String','org.json.JSONArray','org.apache.cordova.CallbackContext').implementation = function(act, args, ctx) {
console.log('[Cordova] ' + act + ' => ' + args);
// Tamper the first argument of a sensitive action
if (act === 'encrypt') {
args.put(0, '1234');
}
return this.execute(act, args, ctx);
};
});
```
---
## Hardening Recommendations (2025)
* **Update to the latest platform:** `cordova-android@13` (May 2024) targets API 34 and brings new WebView mitigations.
* **Remove debug artifacts:** Ensure `android:debuggable="false"` and avoid calling `setWebContentsDebuggingEnabled` in release builds.
* **Enforce a strict CSP & AllowList:** Add a `<meta http-equiv="Content-Security-Policy" ...>` tag in every HTML file and restrict `<access>` origins in `config.xml`.
Example minimal CSP that blocks inline scripts:
```html
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none'">
```
* **Disable clear-text traffic:** In `AndroidManifest.xml` set `android:usesCleartextTraffic="false"` and/or provide a [network-security-config] that enforces TLS.
* **Plugin hygiene:**
* Pin plugin versions with `npm ci` and commit the generated `package-lock.json`.
* Periodically run `npm audit`, `osv-scanner` or `cordova-check-plugins`.
* **Obfuscation:** Minify JavaScript with Terser/UglifyJS and remove source maps from production builds to slow down casual reversing.
---
## References
* Apache Cordova Cordova-Android 13.0.0 release notes (May 2024)
* OSV-ID MAL-2024-7845 Malicious code in `cordova-plugin-acuant`
* CVE-2023-2507 CleverTap Cordova Plugin deeplink XSS
{{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}}