Apache Cordova fixes flaw that could cause apps to crash

PCWorld News

A fix has been released for a vulnerability in a widely used piece of code in Android devices, which could cause apps to crash or display unwanted dialog boxes.

The flaw lies in Apache Cordova, which is a set of APIs (application programming interfaces) that let developers access functions such as a camera or accelerometer using JavaScript, according to its website.

Trend Micro, which found the problem, wrote that 5.6 percent of apps in Google’s Play store use Cordova and are vulnerable. iOS is not affected.

Apps using Cordova that “don’t have explicit values set in Config.xml can have undefined configuration variables set by Intent,” according to a description of the flaw on the Cordova website.

“This can cause unwanted dialogs appearing in applications and changes in the application behavior that can include the app force-closing,” wrote Joe Bowser, a senior computer scientist at Adobe Systems, who works on Cordova for Android.

Seven Shen, a mobile threats analyst with Trend Micro who found the problem, wrote the flaw could be exploited by getting a person to click a URL.

Apps that use version 4.0.x or higher should move to 4.0.2 of Cordova. Another version of Cordova 3.7.2 has been released with a patch for apps that are on older versions of the code.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.