Apache Cordova Security Vulnerabilities and Platform Overview
- Click here to learn how Checkmarx can secure your Windows Phone applications
- Watch our webinar: “Hybrid vs Native Mobile Development”
- Read “The Worst PhoneGap Security Issues And How To Avoid Them”
What is Apache Cordova?
Development in Cordova is similar to the development needed to build a web page as HTML, CSS and JS all combine to create a webview that is wrapped in Cordova.
Applications developed using Cordova are known as Hybrid apps as they are not developed to be native to one specific mobile operating system such as iOS or Android.
Cordova applications are not only faster, and simpler to develop, but they’re also much easier to maintain as you’re only dealing with one codebase, rather than multiple platform specific ones. Once development is finished on, you can add additional platforms with one line of code. As a result, lots of applications, both commercial and non, are built using this methodology.
Who should use Apache Cordova for Development
For developers, choosing between a hybrid and native development methodology can be confusing. According to the Apache Cordova website, you should choose this as your methodology if you are:
- a mobile developer and want to extend an application across more than one platform, without having to re-implement it with each platform’s language and tool set.
- a web developer and want to deploy a web app that’s packaged for distribution in various app store portals.
- a mobile developer interested in mixing native application components with a WebView (special browser window) that can access device-level APIs, or if you want to develop a plugin interface between native and WebView components.
Security Concerns for Hybrid Applications
Cordova applications are not exempt to vulnerabilities, especially if they contain poorly written code.
While not a completely bulletproof solution against attacks against your app, one way to minimize the threat is by only working with secure frameworks with built-in security controls. Additionally, reverse engineering and man-in-the-middle attacks also threaten hybrid applications.
Common Attacks that Threaten Cordova Applications
- Weak SSL implementation (same as native)
- Caching issues
Cordova applications are simpler to develop and they’re also much easier to maintain as you’re only dealing with one codebase, rather than multiple platform specific ones. Once development is finished on, you can add additional platforms with one line of code. As a result, lots of applications, both commercial and not, are built using this methodology.
As the content consumed around the globe shifts even further from web-based content to content consumed on mobile, it’s critical that anyone developing software for mobile devices is committing to proper security throughout the development cycle.
“Over 7 billion mobile devices are being used today all around the world and their number is multiplying 5 times faster than human beings,” said Emmanuel Benzaquen, CEO of Checkmarx. “With the huge amounts of private information being transferred worldwide through these devices, the need for strong mobile security has become paramount. Mobile application security is a huge challenge and only robust application code can help organizations provide the users with the security they need, expect and deserve.
Apache Cordova Security Vulnerabilities
- Medium Threat: Client HTML5 Information Exposure
- Medium Threat: Client HTML5 Insecure Storage
- Medium Threat: Client HTML5 Store Sensitive data In Web Storage
- Low Visibility: Client HTML5 Easy To Guess Database Name
- Low Visibility: Client HTML5 Heuristic Session Insecure Storage
Securing your Apache Cordova Apps
Checkmarx’s CxSAST, a static code analysis solution, stands out amongst Apache Cordova testing solutions as not only the solution which will keep your Apache Cordova apps free from security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.
CxSAST works with the tools your developers are already using as it seamlessly integrates with most of the common development programs available at every stage of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment.
When vulnerabilities are detected in the Apache Cordova code, CxSAST will not only identify the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.
Want to learn more about Android vulnerabilities, why they happen, and how to eliminate them? Click for a tutorial and start sharpening your skills!