Now let us look at the working of Cordova framework.
Firstly, Cordova application loads index.html in a WebView. All Cordova applications consist of index.html file. After loading index.html, application invokes different plugins and functions through event handlers. Since the functioning of the application is dependent on html file, it can be easily tweaked by an attacker, which is a major security threat to such application.
Let’s look at the demonstration of entire attack.
First decompile the apk using apktool as shown below:
Using text editor, open ‘index.html’ file.
<script>alert(“You are Hacked”);</script>
We are now ready to recompile the files to apk using apktool as shown below:
We will now sign the modified apk using “dex2jar” utility so that we can obtain signed-apk which can be then installed on mobile phone.
Though such applications will remain vulnerable to such reverse engineering hacks; however, some basic protection can still be enabled.
Refer the below link to understand the implementation of the plugin:
For Example, insert the URL of the allowed domain in the ‘access origin’ tag in config.xml file as shown below:
Frameworks like Cordova are designed in such a way that security threats of this kind will exist. It is therefore, essential to be extremely cautious in selecting the correct framework for your application.