hacktricks/mobile-pentesting/cordova-apps.md

# Cordova Apps

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

**Vir verdere besonderhede, kyk na [https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58](https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58)**. Dit is 'n opsomming:

Apache Cordova word erken vir die moontlikheid om **hibridetoepassings** te ontwikkel met **JavaScript, HTML, en CSS**. Dit maak die skepping van Android en iOS toepassings moontlik; egter, dit het nie 'n standaardmeganisme om die toepassings se bronkode te beveilig nie. In teenstelling met React Native, kompileer Cordova nie die bronkode nie, wat kan lei tot kwesbaarhede in kodeverandering. Cordova gebruik WebView om toepassings te render, wat die HTML en JavaScript kode blootstel selfs nadat dit in APK of IPA lêers gekompileer is. React Native, aan die ander kant, gebruik 'n JavaScript VM om JavaScript kode uit te voer, wat beter beskerming van die bronkode bied.

### Kloning van 'n Cordova Toepassing

Voordat jy 'n Cordova toepassing kloon, verseker dat NodeJS geïnstalleer is saam met ander vereistes soos die Android SDK, Java JDK, en Gradle. Die amptelike Cordova [dokumentasie](https://cordova.apache.org/docs/en/11.x/guide/cli/#install-pre-requisites-for-building) bied 'n omvattende gids vir hierdie installasies.

Neem 'n voorbeeldtoepassing genaamd `Bank.apk` met die pakketnaam `com.android.bank`. Om toegang tot die bronkode te verkry, ontsyfer `bank.apk` en navigeer na die `bank/assets/www` gids. Hierdie gids bevat die volledige bronkode van die toepassing, insluitend HTML en JS lêers. Die toepassingskonfigurasie kan gevind word in `bank/res/xml/config.xml`.

Om die toepassing te kloon, volg hierdie stappe:
```bash
npm install -g cordova@latest
cordova create bank-new com.android.bank Bank
cd bank-new
```
Kopieer die inhoud van `bank/assets/www` na `bank-new/www`, met uitsluiting van `cordova_plugins.js`, `cordova.js`, `cordova-js-src/`, en die `plugins/` gids.

Specifiseer die platform (Android of iOS) wanneer jy 'n nuwe Cordova-projek skep. Vir die kloon van 'n Android-app, voeg die Android-platform by. Let daarop dat Cordova se platformweergawe en Android API-vlakke verskillend is. Verwys na die Cordova [dokumentasie](https://cordova.apache.org/docs/en/11.x/guide/platforms/android/) vir besonderhede oor platformweergawe en ondersteunde Android API's.

Om die toepaslike Cordova Android-platformweergawe te bepaal, kyk na die `PLATFORM_VERSION_BUILD_LABEL` in die oorspronklike aansoek se `cordova.js`-lêer.

Nadat die platform opgestel is, installeer die vereiste plugins. Die oorspronklike aansoek se `bank/assets/www/cordova_plugins.js`-lêer lys al die plugins en hul weergawes. Installeer elke plugin individueel soos hieronder getoon:
```bash
cd bank-new
cordova plugin add cordova-plugin-dialogs@2.0.1
```
As 'n plugin nie op npm beskikbaar is nie, kan dit van GitHub verkry word:
```bash
cd bank-new
cordova plugin add https://github.com/moderna/cordova-plugin-cache.git
```
Verseker dat alle vereistes nagekom word voordat jy saamstel:
```bash
cd bank-new
cordova requirements
```
Om die APK te bou, gebruik die volgende opdrag:
```bash
cd bank-new
cordova build android — packageType=apk
```
Hierdie opdrag genereer 'n APK met die foutopsporing opsie geaktiveer, wat foutopsporing via Google Chrome vergemaklik. Dit is van kardinale belang om die APK te teken voor installasie, veral as die aansoek kode manipulasie opsporing meganismes insluit.

### Outomatisering Gereedskap

Vir diegene wat die kloonproses wil outomatiseer, **[MobSecco](https://github.com/Anof-cyber/MobSecco)** is 'n aanbevole gereedskap. Dit stroomlyn die kloon van Android aansoeke, wat die stappe hierbo vereenvoudig.

{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`# Cordova Apps`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`<details>`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-05 11:02:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`{% endhint %}`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Vir verdere besonderhede, kyk na [https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58](https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58). Dit is 'n opsomming:`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			Apache Cordova word erken vir die moontlikheid om hibridetoepassings te ontwikkel met JavaScript, HTML, en CSS. Dit maak die skepping van Android en iOS toepassings moontlik; egter, dit het nie 'n standaardmeganisme om die toepassings se bronkode te beveilig nie. In teenstelling met React Native, kompileer Cordova nie die bronkode nie, wat kan lei tot kwesbaarhede in kodeverandering. Cordova gebruik WebView om toepassings te render, wat die HTML en JavaScript kode blootstel selfs nadat dit in APK of IPA lêers gekompileer is. React Native, aan die ander kant, gebruik 'n JavaScript VM om JavaScript kode uit te voer, wat beter beskerming van die bronkode bied.
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`### Kloning van 'n Cordova Toepassing`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Voordat jy 'n Cordova toepassing kloon, verseker dat NodeJS geïnstalleer is saam met ander vereistes soos die Android SDK, Java JDK, en Gradle. Die amptelike Cordova [dokumentasie](https://cordova.apache.org/docs/en/11.x/guide/cli/#install-pre-requisites-for-building) bied 'n omvattende gids vir hierdie installasies.`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			Neem 'n voorbeeldtoepassing genaamd `Bank.apk` met die pakketnaam `com.android.bank`. Om toegang tot die bronkode te verkry, ontsyfer `bank.apk` en navigeer na die `bank/assets/www` gids. Hierdie gids bevat die volledige bronkode van die toepassing, insluitend HTML en JS lêers. Die toepassingskonfigurasie kan gevind word in `bank/res/xml/config.xml`.
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Om die toepassing te kloon, volg hierdie stappe:`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00			```bash
			`npm install -g cordova@latest`
			`cordova create bank-new com.android.bank Bank`
			`cd bank-new`
			```
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			Kopieer die inhoud van `bank/assets/www` na `bank-new/www`, met uitsluiting van `cordova_plugins.js`, `cordova.js`, `cordova-js-src/`, en die `plugins/` gids.
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Specifiseer die platform (Android of iOS) wanneer jy 'n nuwe Cordova-projek skep. Vir die kloon van 'n Android-app, voeg die Android-platform by. Let daarop dat Cordova se platformweergawe en Android API-vlakke verskillend is. Verwys na die Cordova [dokumentasie](https://cordova.apache.org/docs/en/11.x/guide/platforms/android/) vir besonderhede oor platformweergawe en ondersteunde Android API's.`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			Om die toepaslike Cordova Android-platformweergawe te bepaal, kyk na die `PLATFORM_VERSION_BUILD_LABEL` in die oorspronklike aansoek se `cordova.js`-lêer.
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			Nadat die platform opgestel is, installeer die vereiste plugins. Die oorspronklike aansoek se `bank/assets/www/cordova_plugins.js`-lêer lys al die plugins en hul weergawes. Installeer elke plugin individueel soos hieronder getoon:
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00			```bash
			`cd bank-new`
			`cordova plugin add cordova-plugin-dialogs@2.0.1`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`As 'n plugin nie op npm beskikbaar is nie, kan dit van GitHub verkry word:`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00			```bash
			`cd bank-new`
			`cordova plugin add https://github.com/moderna/cordova-plugin-cache.git`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Verseker dat alle vereistes nagekom word voordat jy saamstel:`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00			```bash
			`cd bank-new`
			`cordova requirements`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Om die APK te bou, gebruik die volgende opdrag:`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00			```bash
			`cd bank-new`
			`cordova build android — packageType=apk`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Hierdie opdrag genereer 'n APK met die foutopsporing opsie geaktiveer, wat foutopsporing via Google Chrome vergemaklik. Dit is van kardinale belang om die APK te teken voor installasie, veral as die aansoek kode manipulasie opsporing meganismes insluit.`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`### Outomatisering Gereedskap`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`Vir diegene wat die kloonproses wil outomatiseer, [MobSecco](https://github.com/Anof-cyber/MobSecco) is 'n aanbevole gereedskap. Dit stroomlyn die kloon van Android aansoeke, wat die stappe hierbo vereenvoudig.`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`{% hint style="success" %}`
			`Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`<details>`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`<summary>Ondersteun HackTricks</summary>`
arte 2024-01-05 11:02:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`* Kyk na die [subskripsie planne](https://github.com/sponsors/carlospolop)!`
			`* Sluit aan by die 💬 [Discord groep](https://discord.gg/hRep4RUj7f) of die [telegram groep](https://t.me/peass) of volg ons op Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Deel hacking truuks deur PRs in te dien na die [HackTricks](https://github.com/carlospolop/hacktricks) en [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GITBOOK-4006: change request with no subject merged in GitBook 2023-07-11 09:47:01 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00			`{% endhint %}`