Bharat Mistry, a cyber-security consultant for Trend Micro said that the problem arose because of the way that developers worked with the API. “If they haven't set the parameters of the API properly and just use default values, it makes the app vulnerable to content that can crash the app and download malware.”
According to a Trend Micro blog post there are two prerequisites for a specialist exploit: at least one of the application's components is not properly secured so that it is accessible from outside the app, and at least one of Cordova's supported preferences is not defined in the configuration file: config.xml. About 5.6 percent of Android apps are Cordova-based claimed the blog.
Mistry said that the vulnerability arose because there was little oversight over developers pushing their apps onto Google Play but it was hard to ascertain how widespread the problem was. “It's difficult to say how many applications out of that 5.6 percent are actually affected.” He added that there were two strains of developers, “There are those from corporate background who have some training in security and they'll be aware of the problems. But there will also be people working on their own or in small companies and who are being pushed to get products out quickly.”
The problem could be avoided by the adoption of additional methods of assurance. “What the industry really needs is a kitemark to say that it's gone through a testing process,” said Mistry. He pointed out how the HP Fortify analyser helped developers to ensure their apps were secure.
One thing is clear, he added, it's not a problem that's going to go away. “If you look at the way that the industry is going, there's going to be more tablets and mobile devices there – they're going to be the easiest targets.”
Robert Miller, a security consultant with MWR InfoSecurity said there were particular issues with Android apps. "Often companies choose to use third party frameworks to help speed up their development process, but make assumptions that using them will make their applications secure.”
Mistry said part of the problem was the way that Android was handled. “Apple controls the device and the appstore,” he said. “Google needs to get the balance between (reliability) and innovation right, they leave the hardware to the vendors.”
Miller said that developers should be trained better to understand some of the issues. "It is vital that companies take the time to understand the security of frameworks before using them. This can come from asking the framework vendors questions like what security standards their products are built against, how they handle vulnerability reports, and what their process is for providing security updates to companies that use their framework," he added.