Cordova apps have revolutionized the way we develop hybrid applications using JavaScript, HTML, and CSS. With its ability to create Android and iOS applications, Cordova has become a popular choice among developers. However, unlike React Native, Cordova lacks a default mechanism for securing the application's source code, making it vulnerable to code tampering vulnerabilities.
Cloning a Cordova Application
To access the source code of a Cordova application, you need to ensure that NodeJS is installed along with other prerequisites like the Android SDK, Java JDK, and Gradle. The official Cordova documentation provides a comprehensive guide for these installations.
Consider an example application named Bank.apk, with the package name com.android.bank. To access the source code, unzip bank.apk and navigate to the bank/assets/www folder. This folder contains the complete source code of the application, including HTML and JS files. The application's configuration can be found in bank/res/xml/config.xml.
To clone the application, follow these steps:
- Install Cordova using npm:
npm install -g cordova@latest - Create a new Cordova project:
cordova create bank-new com.android.bank Bank - Copy the contents of bank/assets/www to bank-new/www, excluding cordova_plugins.js, cordova.js, cordova-js-src/, and the plugins/ directory.
- Specify the platform (Android or iOS) when creating a new Cordova project. For cloning an Android app, add the Android platform.
Automation Tool
For those seeking to automate the cloning process, MobSecco is a recommended tool that streamlines the cloning of Android applications, simplifying the steps outlined above.
Security Risks & Recent Vulnerabilities (2023-2026)
Cordova's plugin-based architecture means that most of the attack surface sits inside third-party plugins and the WebView bridge. The following issues have been actively exploited or publicly disclosed in the last few years:
- Malicious NPM Packages: In July 2024, the package cordova-plugin-acuant was removed from the NPM registry after it was discovered dropping malicious code during installation (OSV-ID MAL-2024-7845). Any developer machine that executed
npm install cordova-plugin-acuantshould be considered compromised. Auditpackage.jsonandpackage-lock.jsonfor unexpected Cordova plugins and pin trusted versions. - Unvalidated Deeplinks â XSS/RCE: CleverTap Cordova Plugin ⤠2.6.2 (CVE-2023-2507) fails to sanitize deeplink input, allowing an attacker to inject arbitrary JavaScript that executes in the main WebView context when a crafted link is opened. Update to ⥠2.6.3 or strip untrusted URI parameters at runtime.
- Out-of-Date Platform Code: cordova-android ⤠12 ships with targetSdk 33 or lower. Beginning May 2024 Google Play requires API 34, and several WebView hardening features (e.g., auto-generated
exported="false"for components) are only present in API 34+. Upgrade to cordova-android@13.0.0 or later.
Quick Checks during a Pentest
- Look for
android:debuggable="true"in the decompiledAndroidManifest.xml. Debuggable builds expose the WebView overchrome://inspect, allowing full JS injection. - Review
config.xmlfor overly permissivewww/index.html. - Grep
www/foreval(,new Function(, or dynamically-constructed HTML that could turn CSP bypasses into XSS. - Identify embedded plugins in
plugins/and runnpm audit --productionorosv-scanner --lockfileto find known CVEs.
Dynamic Analysis Tips
Remote WebView Debugging: If the application has been compiled in debug mode (or explicitly calls WebView.setWebContentsDebuggingEnabled(true)), you can attach Chrome DevTools:
- Forward a TCP port using ADB:
adb forward tcp:9222 localabstract:chrome_devtools_remote - Open Google Chrome with the remote debugging extension:
google-chrome --new-window "chrome://inspect/#devices"
This gives you a live JavaScript console, DOM inspector, and the ability to overwrite JavaScript functions at runtime â extremely handy for bypassing client-side logic. (See Google's official documentation for more details.)