# Cordova Apps {{#include ../banners/hacktricks-training.md}} **For further details check [https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58](https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58)**. This is a sumary: Apache Cordova is recognized for enabling the development of **hybrid applications** using **JavaScript, HTML, and CSS**. It allows the creation of Android and iOS applications; however, it lacks a default mechanism for securing the application's source code. In contrast to React Native, Cordova does not compile the source code by default, which can lead to code tampering vulnerabilities. Cordova utilizes WebView to render applications, exposing the HTML and JavaScript code even after being compiled into APK or IPA files. React Native, conversely, employs a JavaScript VM to execute JavaScript code, offering better source code protection. ### Cloning a Cordova Application Before cloning a Cordova application, ensure that NodeJS is installed along with other prerequisites like the Android SDK, Java JDK, and Gradle. The official Cordova [documentation](https://cordova.apache.org/docs/en/11.x/guide/cli/#install-pre-requisites-for-building) provides a comprehensive guide for these installations. Consider an example application named `Bank.apk` with the package name `com.android.bank`. To access the source code, unzip `bank.apk` and navigate to the `bank/assets/www` folder. This folder contains the complete source code of the application, including HTML and JS files. The application's configuration can be found in `bank/res/xml/config.xml`. To clone the application, follow these steps: ```bash npm install -g cordova@latest cordova create bank-new com.android.bank Bank cd bank-new ``` Copy the contents of `bank/assets/www` to `bank-new/www`, excluding `cordova_plugins.js`, `cordova.js`, `cordova-js-src/`, and the `plugins/` directory. Specify the platform (Android or iOS) when creating a new Cordova project. For cloning an Android app, add the Android platform. Note that Cordova's platform versions and Android API levels are distinct. Refer to the Cordova [documentation](https://cordova.apache.org/docs/en/11.x/guide/platforms/android/) for details on platform versions and supported Android APIs. To determine the appropriate Cordova Android platform version, check the `PLATFORM_VERSION_BUILD_LABEL` in the original application's `cordova.js` file. After setting up the platform, install the required plugins. The original application's `bank/assets/www/cordova_plugins.js` file lists all the plugins and their versions. Install each plugin individually as shown below: ```bash cd bank-new cordova plugin add cordova-plugin-dialogs@2.0.1 ``` If a plugin is not available on npm, it can be sourced from GitHub: ```bash cd bank-new cordova plugin add https://github.com/moderna/cordova-plugin-cache.git ``` Ensure all prerequisites are met before compiling: ```bash cd bank-new cordova requirements ``` To build the APK, use the following command: ```bash cd bank-new cordova build android — packageType=apk ``` This command generates an APK with the debug option enabled, facilitating debugging via Google Chrome. It's crucial to sign the APK before installation, especially if the application includes code tampering detection mechanisms. ### Automation Tool For those seeking to automate the cloning process, **[MobSecco](https://github.com/Anof-cyber/MobSecco)** is a recommended tool. It streamlines the cloning of Android applications, simplifying the steps outlined above. --- ## Security Risks & Recent Vulnerabilities (2023-2025) Cordova’s plugin-based architecture means that **most of the attack surface sits inside third-party plugins and the WebView bridge**. The following issues have been actively exploited or publicly disclosed in the last few years: * **Malicious NPM Packages.** In July 2024 the package `cordova-plugin-acuant` was removed from the NPM registry after it was discovered dropping malicious code during installation (OSV-ID MAL-2024-7845). Any developer machine that executed `npm install cordova-plugin-acuant` should be considered compromised. Audit `package.json`/`package-lock.json` for unexpected Cordova plugins and pin trusted versions. [OSV advisory](/) * **Unvalidated Deeplinks → XSS/RCE.** `CleverTap Cordova Plugin ≤ 2.6.2` (CVE-2023-2507) fails to sanitise deeplink input, allowing an attacker to inject arbitrary JavaScript that executes in the main WebView context when a crafted link is opened. Update to ≥ 2.6.3 or strip untrusted URI parameters at runtime. [CVE-2023-2507](/) * **Out-of-Date Platform Code.** `cordova-android` ≤ 12 ships with targetSdk 33 or lower. Beginning May 2024 Google Play requires API 34, and several WebView hardening features (e.g. auto-generated `exported="false"` for components) are only present in API 34+. Upgrade to `cordova-android@13.0.0` or later. ### Quick checks during a pentest 1. **Look for `android:debuggable="true"`** in the decompiled `AndroidManifest.xml`. Debuggable builds expose the WebView over `chrome://inspect` allowing full JS injection. 2. Review `config.xml` for overly permissive `` tags or missing CSP meta-tags in `www/index.html`. 3. Grep `www/` for `eval(`, `new Function(` or dynamically-constructed HTML that could turn CSP bypasses into XSS. 4. Identify embedded plugins in `plugins/` and run `npm audit --production` or `osv-scanner --lockfile` to find known CVEs. --- ## Dynamic Analysis Tips ### Remote WebView Debugging If the application has been compiled in **debug** mode (or explicitly calls `WebView.setWebContentsDebuggingEnabled(true)`), you can attach Chrome DevTools: ```bash adb forward tcp:9222 localabstract:chrome_devtools_remote google-chrome --new-window "chrome://inspect/#devices" ``` This gives you a live JavaScript console, DOM inspector and the ability to overwrite JavaScript functions at runtime – extremely handy for bypassing client-side logic. (See Google’s official documentation for more details.) ### Hooking the JS ⇄ Native bridge with Frida The Java-side entry point of most plugins is `org.apache.cordova.CordovaPlugin.execute(...)`. Hooking this method lets you monitor or tamper with calls made from JavaScript: ```javascript // frida -U -f com.vulnerable.bank -l hook.js --no-pause Java.perform(function () { var CordovaPlugin = Java.use('org.apache.cordova.CordovaPlugin'); CordovaPlugin.execute.overload('java.lang.String','org.json.JSONArray','org.apache.cordova.CallbackContext').implementation = function(act, args, ctx) { console.log('[Cordova] ' + act + ' => ' + args); // Tamper the first argument of a sensitive action if (act === 'encrypt') { args.put(0, '1234'); } return this.execute(act, args, ctx); }; }); ``` --- ## Hardening Recommendations (2025) * **Update to the latest platform:** `cordova-android@13` (May 2024) targets API 34 and brings new WebView mitigations. * **Remove debug artifacts:** Ensure `android:debuggable="false"` and avoid calling `setWebContentsDebuggingEnabled` in release builds. * **Enforce a strict CSP & AllowList:** Add a `` tag in every HTML file and restrict `` origins in `config.xml`. Example minimal CSP that blocks inline scripts: ```html ``` * **Disable clear-text traffic:** In `AndroidManifest.xml` set `android:usesCleartextTraffic="false"` and/or provide a [network-security-config] that enforces TLS. * **Plugin hygiene:** * Pin plugin versions with `npm ci` and commit the generated `package-lock.json`. * Periodically run `npm audit`, `osv-scanner` or `cordova-check-plugins`. * **Obfuscation:** Minify JavaScript with Terser/UglifyJS and remove source maps from production builds to slow down casual reversing. --- ## References * Apache Cordova – Cordova-Android 13.0.0 release notes (May 2024) * OSV-ID MAL-2024-7845 – Malicious code in `cordova-plugin-acuant` * CVE-2023-2507 – CleverTap Cordova Plugin deeplink XSS {{#include ../banners/hacktricks-training.md}}