Introduction

I have recently found that hybrid mobile applications are used by many organizations. Hybrid applications allow developers to create applications using the same technologies and even the same code with minor to no changes for different OS or platforms. The native approach requires different languages like Java for Android and Swift or Objective-C for iOS.

Using the hybrid method allow the developer to build both Android and ios app using the same languages. One of the most popular frameworks or libraries to build Hybrid mobile apps is React-native. React Native allows you to create both Android and iOS applications using JavaScript.

Apart from React-Native, Apache Cordova is another popular framework that allows you to create hybrid applications using JavaScript, HTML and CSS.

Developers write all the code in JavaScript and HTML, and during the compilation process required native code will be generated by the framework and plugins/libraries.

Security Issues with Apache Cordova

One of the major issues with Cordova is it doesn’t come with a default method to secure the source of the application, unlike react-native. The source of the Cordova application doesn’t have a default method to compile it which makes it easy for code tampering. The Cordova application uses WebView to render the application using HTML and JS whereas to react native use JavaScript VM to run the JavaScript Code. This allows react-native to change the code during the build process and create a bundle file that doesn’t fully disclose the actual source. Whereas Cordova uses Webview and requires actual HTML and JS files to make it work which discloses the source code even after compiling it to APK or IPA.

We can view pretty much all the source code in its original format from the APK or IPA file. This allows anyone to bypass security checks like code tampering or integrity detections. We can use Apktool to decompile and edit the source code and recompile the application.

If the application has integrity detection we can create a completely new Cordova application and use the same source code of the application inside the new application. Since we are creating the new application we can bypass the integrity detection or can create a malicious application on top of the original application source code.

Cloning Cordova Application

To create a new clone application, we first need a Cordova-based mobile application. Once you have a Cordova application you can unzip to view the original JS and HTML code.

To create a Cordova app we need to install the NodeJS. Apart from NodeJS, we need a few other things installed to complete the build process like Android SDK, Java JDK and Gradle. You can follow the official documentation for the list of requirements.

For this example, we can assume that the original application name is Bank.apk and package name com.android.bank

Unzip the bank.apk and open the bank/assets/www folder. We can view the complete source of the Cordova application. All the HTML and JS code can be used to create a clone of the application.

When we create a Cordova application project we also have a config.xml file. We can find the config file of the application inbank/res/xml/config.xml.

Now we can create a new Cordova application project. We need to keep the application name and package name the same as the original application. If we use different names then we might need to edit the code but it is only for a few applications still we can continue using the original names.

npm install -g cordova@latest
cordova create bank-new com.android.bank Bank
cd bank-new

Each application is created using a specific version of Cordova, which enables the installation of specific Cordova plugins. If you use a different Cordova version than the one used to build the original APK, you may encounter issues with plugins and compilation. In some versions of Cordova, you can identify the Cordova version used by the application by inspecting the cordova.js file.

Once we create the new Cordova project, we need to copy the source code. Copy all the files and folders from bank/assets/www to bank-new/www.

When we copy the source code we need to exclude a few files and folders like cordova_plugins.js,cordova.js, cordova-js-src/, plugins/. We can copy all the files and folders excluding those mentioned above.

When we create a new Cordova project we need to mention whether the app is for Android or iOS. Since we are cloning the Android app we need to add an Android platform to it. In Cordva we have the platform versions, each version has different features and support for Android APIs or Android versions.

The Android API and Cordova Android platform versions both are different. You can check out the list of platform versions and their support for Android APIs.

To add the Cordova Android platform we need to find out which version was originally used by the application. If you use a different version you might face issues since we are using the same source code to clone the application. You can open the cordova.js file and search PLATFORM_VERSION_BUILD_LABEL to find the version used by the application.

cd bank-new
cordova platform add [email protected]

Now we have added Android platform support we can add all the required plugins used by the application. In the original application bank/assets/www/cordova_plugins.js , We can find a list of all the plugins used by the application. We need to install those plugins one by one. Search for module.exports.metadata in cordova_plugins.js file. We can see all the plugins with versions as well.

We need to install all the plugins one by one with the help of the below command

cd bank-new
cordova plugin add [email protected]

There are possibilities that the developer might have added a custom plugin. If we try to install such plugins we might error, for such a plugin we can ignore it. Another error might be developer might have added plugins which are not available over the node package manager.

For such plugins, we need to manually search most probably those plugins will be available on GitHub. For example from the above image at.modalog.cordova.plugin.cache is not available over NPM, but it's available on GitHub.

cd bank-new
cordova plugin add https://github.com/moderna/cordova-plugin-cache.git

Once we complete the installation of all the plugins we can compile it to get the apk from the source code. Before compiling we can use the npm audit, this allows us to verify which plugin is outdated and contain security issues.

The audit has nothing to do with the cloning of the Cordova app but it's useful to know that the original application has several security issues which can be reported and exploited.

cd bank-new
npm audit

To compile the application, we need to make sure to have all requirements already installed.

cd bank-new
cordova requirements

Once we have all the setup ready we can build the apk.

cd bank-new
cordova build android — packageType=apk

If everything is working fine with a compatible version, we should be able to create the apk. The above build command will create an apk with debug method enabled which allows us to debug the application using Google Chrome. Before installing the apk make sure to sign the apk. If the application has code tampering detection it will be bypassed unless there is no specific configuration set.

Since now you have a complete env set you can add or remove plugins or edit the configuration to create a new application the way you want.

I have done some random experiments on the cloning of the Cordova application. The method might not work all the time depending on the application. The method is only tested on Android applications but should work with iOS applications as well.

I have created a tool that automates the complete process of cloning the Android application.

https://github.com/Anof-cyber/MobSecco

For the demo or trial and error method. you can see the list of a few open-source iOS applications. there are a few applications created using Cordova. Most of them have Android applications as well.

Twitter — https://twitter.com/ano_f_

GitHub — https://github.com/Anof-cyber/

Linkedin — https://www.linkedin.com/in/sourav-kalal/