You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by ia...@apache.org on 2014/08/06 20:52:06 UTC
svn commit: r1616301 - in /cordova/site: public/
public/announcements/2014/08/04/ public/announcements/2014/08/06/
public/blog/ www/_posts/
Author: ian
Date: Wed Aug 6 18:52:05 2014
New Revision: 1616301
URL: http://svn.apache.org/r1616301
Log:
Add Cordova-Android 3.5.1 Update blog post, and amend text of previous post
Added:
cordova/site/public/announcements/2014/08/06/
cordova/site/public/announcements/2014/08/06/android-351-update.html
cordova/site/www/_posts/2014-08-06-android-351-update.md
Modified:
cordova/site/public/announcements/2014/08/04/android-351.html
cordova/site/public/blog/index.html
cordova/site/public/index.html
cordova/site/public/rss.xml
cordova/site/www/_posts/2014-08-04-android-351.md
Modified: cordova/site/public/announcements/2014/08/04/android-351.html
URL: http://svn.apache.org/viewvc/cordova/site/public/announcements/2014/08/04/android-351.html?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/public/announcements/2014/08/04/android-351.html (original)
+++ cordova/site/public/announcements/2014/08/04/android-351.html Wed Aug 6 18:52:05 2014
@@ -70,6 +70,8 @@
<p class="meta">04 Aug 2014</p>
<div class="post">
+<p><strong>Updated: 2014-08-06</strong> (The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)</p>
+
<p>Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.</p>
<p>When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:</p>
@@ -114,6 +116,26 @@
<p>Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.</p>
<hr />
+<p>CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL loading</p>
+
+<p>Severity: Medium</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Cordova Android versions up to 3.5.0</p>
+
+<p>Description: Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network.</p>
+
+<p>The latest release of Cordova Android takes steps to block explicit Android intent urls, so that they can no longer be used to start arbitrary applications on the device.</p>
+
+<p>Implicit intents, including URLs with schemes such as âtelâ, âgeoâ, and âsmsâ can still be used to open external applications by default, but this behaviour can be overridden by plugins.</p>
+
+<p>Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1.</p>
+
+<p>Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.</p>
+
+<p>(This notice originally read as follows:)</p>
+
<p>CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android intent URLs</p>
<p>Severity: Medium</p>
Added: cordova/site/public/announcements/2014/08/06/android-351-update.html
URL: http://svn.apache.org/viewvc/cordova/site/public/announcements/2014/08/06/android-351-update.html?rev=1616301&view=auto
==============================================================================
--- cordova/site/public/announcements/2014/08/06/android-351-update.html (added)
+++ cordova/site/public/announcements/2014/08/06/android-351-update.html Wed Aug 6 18:52:05 2014
@@ -0,0 +1,171 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <link rel="SHORTCUT ICON" href="//cordova.apache.org/favicon.ico"/>
+ <meta charset="utf-8">
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <meta name = "format-detection" content = "telephone=no">
+ <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width" />
+ <!-- Original Jekyll
+ <meta name="viewport" content="width=device-width">
+ -->
+ <title>Apache Cordova Android 3.5.1 Update</title>
+ <!-- syntax highlighting CSS -->
+ <link rel="stylesheet" href="//cordova.apache.org/css/syntax.css">
+ <!-- Custom CSS -->
+ <link rel="stylesheet" href="//cordova.apache.org/css/main.css">
+
+ <!-- Cordova CSS -->
+ <link rel="stylesheet" type="text/css" href="//cordova.apache.org/css/master.css">
+ <script src="//cordova.apache.org/js/smooth.pack.js" type="text/javascript"></script>
+ <script type="text/javascript">
+ var _gaq = _gaq || [];
+ _gaq.push(['_setAccount', 'UA-94271-30']);
+ _gaq.push(['_trackPageview']);
+ (function() {
+ var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+ ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+ var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+ })();
+ </script>
+</head>
+
+<body>
+
+ <a class="scroll-point pt-top" name="top">
+</a>
+<div id="header">
+ <div class="wrap">
+ <a class="logo" href="//cordova.apache.org/#top"></a>
+ <div class="menu">
+ <a href="//cordova.apache.org/#about">About</a>
+ <a href="//cordova.apache.org/#news">News</a>
+ <a href="http://cordova.apache.org/docs/en/3.5.0/">Documentation</a>
+ <a href="http://plugins.cordova.io/">Plugins</a>
+ <a href="//cordova.apache.org/#links">Quick Links</a>
+ <a href="//cordova.apache.org/#contribute">Contribute</a>
+ <a href="//cordova.apache.org/#mailing-list">Mailing List</a>
+ </div>
+ <form class="menu-dropdown">
+ <select onchange="location = this.options[this.selectedIndex].value;">
+ <option value="//cordova.apache.org/#about">About</option>
+ <option value="//cordova.apache.org/#news">News</option>
+ <option value="http://cordova.apache.org/docs/en/3.5.0/">Documentation</option>
+ <option value="http://plugins.cordova.io/">Plugins</option>
+ <option value="//cordova.apache.org/#links">Quick Links</option>
+ <option value="//cordova.apache.org/#contribute">Contribute</option>
+ <option value="//cordova.apache.org/#mailing-list">Mailing List</option>
+ </select>
+ </form>
+ </div>
+ <div class="shadow"></div>
+</div> <!-- /header -->
+<div class="header-placeholder"></div>
+
+
+ <div class="site">
+ <h2>Apache Cordova Android 3.5.1 Update</h2>
+ <div class="meta">Posted by: <a href="https://twitter.com/iclelland">Ian Clelland</a></div>
+ <p class="meta">06 Aug 2014</p>
+ <div class="post">
+
+<p>On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasnât quite right, so weâve amended it.</p>
+
+<p>You can read the amended blog post <a href="http://cordova.apache.org/announcements/2014/08/04/android-351.html">here</a>.</p>
+
+<p>The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldnât load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to âphone homeâ with the userâs data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1.</p>
+<!--more-->
+<p>In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious URLs, but will still open links like <code>sms:</code>, <code>mailto:</code>, or <code>geo:</code> in their default applications. (It is, after all, a useful feature, and there are many published applications which rely on that behaviour.) If you want to restrict that even further, you can use Cordova plugins to customize which URLs can be loaded, and which URLs will be blocked completely.</p>
+
+<p>As a very simple example of this, I have published a sample plugin which blocks all external applications from loading. To use it, install it like</p>
+
+<pre><code>cordova plugin add net.iclelland.external-app-block</code></pre>
+
+<p>or feel free to clone it from <a href="https://github.com/clelland/cordova-plugin-external-app-block">GitHub</a> and tweak it to suit your needs.</p>
+
+<p>Weâre hoping to have a more flexible solution built in to Cordova with the next release, but in the meantime, the plugin system is powerful enough to allow you to control this for your apps yourself.</p>
+
+ </div>
+</div>
+
+
+
+ <a class="scroll-point" name="links"></a>
+<hr/>
+
+<div class="wrap quick-links-pane">
+ <h2 class="icon icon-quick-links">Quick Links</h2>
+ <br/>
+ <ul class="quick-links-header">
+ <li>General</li>
+ <li>Development</li>
+ <li class="last">Apache Software Foundation</li>
+ </ul>
+ <div class="clear"></div>
+</div>
+
+<div class="grid">
+ <div class="wrap">
+ <div class="list-container">
+ <ul class="list quick-links">
+ <li class="corner"></li>
+ <li><a href="//cordova.apache.org/index.html#about">About Cordova<span></span></a></li>
+
+
+ <li><a href="http://projects.apache.org/projects/cordova.html">Apache Project Page<span></span></a></li>
+
+ <li><a href="http://www.apache.org/licenses/LICENSE-2.0">License<span></span></a></li>
+
+
+ <li><a href="//cordova.apache.org/artwork.html">Artwork<span></span></a></li>
+ </ul>
+
+ <ul class="list quick-links">
+ <li class="corner"></li>
+ <li><a href="//cordova.apache.org/index.html#download">Download<span></span></a></li>
+ <li><a href="http://cordova.apache.org/docs/en/3.5.0/">Documentation<span></span></a></li>
+
+
+ <li><a href="https://git-wip-us.apache.org/repos/asf">Source Code<span></span></a></li>
+
+ <li><a href="https://issues.apache.org/jira/browse/CB">Issue Tracker<span></span></a></li>
+
+ <li><a href="http://wiki.apache.org/cordova/">Wiki<span></span></a></li>
+
+
+ <li><a href="//cordova.apache.org/index.html#mailing-list">Mailing List<span></span></a></li>
+
+ <li><a href="http://stackoverflow.com/tags/cordova">Support<span></span></a></li>
+ </ul>
+
+ <ul class="list quick-links last">
+ <li class="corner"></li>
+
+ <li><a href="http://www.apache.org/">About ASF<span></span></a></li>
+
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks<span></span></a></li>
+
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor<span></span></a></li>
+
+ <li><a href="http://www.apache.org/security/">Security<span></span></a></li>
+
+ </ul>
+
+ <div class="clear"></div>
+ </div>
+ </div>
+</div>
+
+
+ <hr/>
+<div id="footer">
+ <p>Copyright © 2012, 2013 The Apache Software Foundation, Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
+ Apache and the Apache feather logos are <a href="http://www.apache.org/foundation/marks/list/">trademarks</a> of The Apache Software Foundation.
+ </p>
+ <a class="closing" href="#top"></a>
+</div>
+
+
+</body>
+</html>
Modified: cordova/site/public/blog/index.html
URL: http://svn.apache.org/viewvc/cordova/site/public/blog/index.html?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/public/blog/index.html (original)
+++ cordova/site/public/blog/index.html Wed Aug 6 18:52:05 2014
@@ -69,6 +69,11 @@
<ul class="posts">
<li>
+ <span>06 Aug 2014</span> »
+ <a href="//cordova.apache.org/announcements/2014/08/06/android-351-update.html">Apache Cordova Android 3.5.1 Update</a>
+ </li>
+
+ <li>
<span>04 Aug 2014</span> »
<a href="//cordova.apache.org/announcements/2014/08/04/android-351.html">Apache Cordova Android 3.5.1</a>
</li>
Modified: cordova/site/public/index.html
URL: http://svn.apache.org/viewvc/cordova/site/public/index.html?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/public/index.html (original)
+++ cordova/site/public/index.html Wed Aug 6 18:52:05 2014
@@ -101,8 +101,20 @@
<h2>News <a href="/rss.xml" style="font-size:12pt; margin-left:10px">Subscribe</a></h2>
<ul class="posts">
+ <li><span>06 Aug 2014</span> » <a href="//cordova.apache.org/announcements/2014/08/06/android-351-update.html">Apache Cordova Android 3.5.1 Update</a>
+
+<p>On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasnât quite right, so weâve amended it.</p>
+
+<p>You can read the amended blog post <a href="http://cordova.apache.org/announcements/2014/08/04/android-351.html">here</a>.</p>
+
+<p>The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldnât load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to âphone homeâ with the userâs data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1.</p>
+
+ <div style="padding-bottom:2em"><a href="//cordova.apache.org/announcements/2014/08/06/android-351-update.html">Read More</a></div>
+
<li><span>04 Aug 2014</span> » <a href="//cordova.apache.org/announcements/2014/08/04/android-351.html">Apache Cordova Android 3.5.1</a>
+<p><strong>Updated: 2014-08-06</strong> (The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)</p>
+
<p>Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.</p>
<p>When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:</p>
@@ -160,39 +172,6 @@ npm install -g plugman</code></pre>
<div style="padding-bottom:2em"><a href="//cordova.apache.org/news/2014/07/10/tools-release.html">Read More</a></div>
- <li><span>08 Jul 2014</span> » <a href="//cordova.apache.org/news/2014/07/08/plugins-release.html">Plugins Release: July 8, 2014</a>
-
-<p>The following plugins were updated today:</p>
-
-<ul>
-<li>cordova-plugin-contacts: 0.2.11</li>
-
-<li>cordova-plugin-network-information: 0.2.10</li>
-</ul>
-
-<p>Notable changes include:</p>
-
-<ul>
-<li>The network-information plugin no longer crashes immediately if no network is available</li>
-
-<li><code>navigator.contacts.pickContact</code> API has been added for <strong>Android</strong>, <strong>iOS</strong>, <strong>Windows Phone 8</strong> and <strong>Windows 8</strong> platforms</li>
-
-<li><code>navigator.contacts.find</code> API on <strong>Android</strong>, <strong>iOS</strong> and <strong>Windows Phone 8</strong> now supports <code>desiredFields</code> which specifies contact fields to be returned</li>
-
-<li>Contacts on <strong>Firefox OS</strong> no longer requires manual change of the application permissions</li>
-</ul>
-
-<p>The plugins have been updated on our registry at <a href="http://plugins.cordova.io/">plugins.cordova.io</a>.</p>
-<hr />
-<p>You can update any plugin by removing it, and then re-adding it. E.g. To update your contacts plugin:</p>
-
-<pre><code>cordova plugin rm org.apache.cordova.contacts
-cordova plugin add org.apache.cordova.contacts</code></pre>
-
-<p>Other changes include:</p>
-
- <div style="padding-bottom:2em"><a href="//cordova.apache.org/news/2014/07/08/plugins-release.html">Read More</a></div>
-
</ul>
<p>
Modified: cordova/site/public/rss.xml
URL: http://svn.apache.org/viewvc/cordova/site/public/rss.xml?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/public/rss.xml (original)
+++ cordova/site/public/rss.xml Wed Aug 6 18:52:05 2014
@@ -5,8 +5,8 @@
<description>Apache Cordova - Apache Cordova is a set of device APIs that allow a web mobile app developer to access native device function from JavaScript.</description>
<atom:link href="http://cordova.apache.org/rss.xml" rel="self" type="application/rss+xml" />
<link>http://cordova.apache.org/rss.xml</link>
- <lastBuildDate>Mon, 04 Aug 2014 14:34:03 -0700</lastBuildDate>
- <pubDate>Mon, 04 Aug 2014 14:34:03 -0700</pubDate>
+ <lastBuildDate>Wed, 06 Aug 2014 14:35:38 -0400</lastBuildDate>
+ <pubDate>Wed, 06 Aug 2014 14:35:38 -0400</pubDate>
<ttl>1800</ttl>
<image>
<url>http://cordova.apache.org</url>
@@ -19,8 +19,34 @@
<item>
+ <title>Apache Cordova Android 3.5.1 Update</title>
+ <description>
+<p>On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasnât quite right, so weâve amended it.</p>
+
+<p>You can read the amended blog post <a href="http://cordova.apache.org/announcements/2014/08/04/android-351.html">here</a>.</p>
+
+<p>The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldnât load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to âphone homeâ with the userâs data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1.</p>
+<!--more-->
+<p>In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious URLs, but will still open links like <code>sms:</code>, <code>mailto:</code>, or <code>geo:</code> in their default applications. (It is, after all, a useful feature, and there are many published applications which rely on that behaviour.) If you want to restrict that even further, you can use Cordova plugins to customize which URLs can be loaded, and which URLs will be blocked completely.</p>
+
+<p>As a very simple example of this, I have published a sample plugin which blocks all external applications from loading. To use it, install it like</p>
+
+<pre><code>cordova plugin add net.iclelland.external-app-block</code></pre>
+
+<p>or feel free to clone it from <a href="https://github.com/clelland/cordova-plugin-external-app-block">GitHub</a> and tweak it to suit your needs.</p>
+
+<p>Weâre hoping to have a more flexible solution built in to Cordova with the next release, but in the meantime, the plugin system is powerful enough to allow you to control this for your apps yourself.</p>
+</description>
+ <link>http://cordova.apache.org/announcements/2014/08/06/android-351-update.html</link>
+ <guid>http://cordova.apache.org/announcements/2014/08/06/android-351-update</guid>
+ <pubDate>Wed, 06 Aug 2014</pubDate>
+ </item>
+
+ <item>
<title>Apache Cordova Android 3.5.1</title>
<description>
+<p><strong>Updated: 2014-08-06</strong> (The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)</p>
+
<p>Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.</p>
<p>When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:</p>
@@ -65,6 +91,26 @@
<p>Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.</p>
<hr />
+<p>CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL loading</p>
+
+<p>Severity: Medium</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Cordova Android versions up to 3.5.0</p>
+
+<p>Description: Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network.</p>
+
+<p>The latest release of Cordova Android takes steps to block explicit Android intent urls, so that they can no longer be used to start arbitrary applications on the device.</p>
+
+<p>Implicit intents, including URLs with schemes such as âtelâ, âgeoâ, and âsmsâ can still be used to open external applications by default, but this behaviour can be overridden by plugins.</p>
+
+<p>Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1.</p>
+
+<p>Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.</p>
+
+<p>(This notice originally read as follows:)</p>
+
<p>CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android intent URLs</p>
<p>Severity: Medium</p>
Modified: cordova/site/www/_posts/2014-08-04-android-351.md
URL: http://svn.apache.org/viewvc/cordova/site/www/_posts/2014-08-04-android-351.md?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/www/_posts/2014-08-04-android-351.md (original)
+++ cordova/site/www/_posts/2014-08-04-android-351.md Wed Aug 6 18:52:05 2014
@@ -8,6 +8,9 @@ categories: announcements
tags: news releases security
---
+**Updated: 2014-08-06**
+(The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)
+
Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.
When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:
@@ -95,6 +98,47 @@ This issue was discovered by David Kapla
____
+CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL
+loading
+
+
+Severity: Medium
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Cordova Android versions up to 3.5.0
+
+Description:
+Android applications built with the Cordova framework can launch other
+applications through the use of anchor tags, or by redirecting the webview to
+an Android intent URL. An attacker who can manipulate the HTML content of a
+Cordova application can create links which open other applications and send
+arbitrary data to those applications. An attacker who can run arbitrary
+JavaScript code within the context of the Cordova application can also set the
+document location to such a URL. By using this in concert with a second,
+vulnerable application, an attacker might be able to use this method to send
+data from the Cordova application to the network.
+
+The latest release of Cordova Android takes steps to block explicit Android
+intent urls, so that they can no longer be used to start arbitrary applications
+on the device.
+
+Implicit intents, including URLs with schemes such as "tel", "geo", and "sms"
+can still be used to open external applications by default, but this behaviour
+can be overridden by plugins.
+
+Upgrade path:
+Developers who are concerned about this should rebuild their applications with
+Cordova Android 3.5.1.
+
+Credit:
+This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.
+
+
+(This notice originally read as follows:)
+
CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android
intent URLs
Added: cordova/site/www/_posts/2014-08-06-android-351-update.md
URL: http://svn.apache.org/viewvc/cordova/site/www/_posts/2014-08-06-android-351-update.md?rev=1616301&view=auto
==============================================================================
--- cordova/site/www/_posts/2014-08-06-android-351-update.md (added)
+++ cordova/site/www/_posts/2014-08-06-android-351-update.md Wed Aug 6 18:52:05 2014
@@ -0,0 +1,27 @@
+---
+layout: post
+author:
+ name: Ian Clelland
+ url: https://twitter.com/iclelland
+title: "Apache Cordova Android 3.5.1 Update"
+categories: announcements
+tags: news releases security
+---
+
+On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasn't quite right, so we've amended it.
+
+You can read the amended blog post [here](http://cordova.apache.org/announcements/2014/08/04/android-351.html).
+
+The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldn't load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to "phone home" with the user's data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1.
+
+<!--more-->
+
+In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious URLs, but will still open links like `sms:`, `mailto:`, or `geo:` in their default applications. (It is, after all, a useful feature, and there are many published applications which rely on that behaviour.) If you want to restrict that even further, you can use Cordova plugins to customize which URLs can be loaded, and which URLs will be blocked completely.
+
+As a very simple example of this, I have published a sample plugin which blocks all external applications from loading. To use it, install it like
+
+ cordova plugin add net.iclelland.external-app-block
+
+or feel free to clone it from [GitHub](https://github.com/clelland/cordova-plugin-external-app-block) and tweak it to suit your needs.
+
+We're hoping to have a more flexible solution built in to Cordova with the next release, but in the meantime, the plugin system is powerful enough to allow you to control this for your apps yourself.