hacktricks/mobile-pentesting/cordova-apps.md

# Cordova Apps

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

Info taken from the post [https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58](https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58)

## Basic Information

Apache Cordova is a popular framework that allows you to **create hybrid applications** (Android & iOS) using **JavaScript, HTML and CSS**.

One of the major issues with Cordova is it **doesn’t come with a default method to secure** the **source** of the application, unlike react-native. The source of the Cordova application doesn’t have a default method to compile it which makes it **easy for code tampering**. The Cordova application uses WebView to render the application using HTML and JS which discloses the source code even after compiling it to APK or IPA whereas to react native use JavaScript VM to run the JavaScript Code.

### Cloning Cordova Application <a href="#8f50" id="8f50"></a>

To create a Cordova app we need to install the NodeJS. Apart from NodeJS, we need a few other things installed to complete the build process like Android SDK, Java JDK and Gradle. You can follow the [official documentation](https://cordova.apache.org/docs/en/11.x/guide/cli/#install-pre-requisites-for-building) for the list of requirements.

For this example, we can assume that the original application name is `Bank.apk` and package name `com.android.bank`

Unzip the `bank.apk` and open the `bank/assets/www` folder. We can view the **complete source of the Cordova application**. All the HTML and JS code can be used to create a clone of the application. We can also find the config file of the application in`bank/res/xml/config.xml`.

Now we can create a new Cordova application project:

```bash
npm install -g cordova@latest
cordova create bank-new com.android.bank Bank
cd bank-new
```

Now we need to copy all the files and folders from `bank/assets/www` to `bank-new/www.`

When we copy the source code we need to exclude a few files and folders like `cordova_plugins.js,cordova.js, cordova-js-src/, plugins/`. We can copy all the files and folders excluding those mentioned above.

When we create a new Cordova project we need to mention whether the app is for Android or iOS. Since we are cloning the Android app we need to add an Android platform to it. In Cordva we have the platform versions, each version has different features and support for Android APIs or Android versions.

The Android API and Cordova Android platform versions both are different. You can [check out](https://cordova.apache.org/docs/en/11.x/guide/platforms/android/) the list of platform versions and their support for Android APIs.

To add the Cordova Android platform we need to find out which version was originally used by the application. If you use a different version you might face issues since we are using the same source code to clone the application. You can open the `cordova.js` file and search `PLATFORM_VERSION_BUILD_LABEL` to find the version used by the application.

\


Now we have added Android platform support we can add all the required plugins used by the application. In the original application `bank/assets/www/cordova_plugins.js` , We can find a list of all the plugins used by the application. We need to install those plugins one by one. Search for `module.exports.metadata` in `cordova_plugins.js` file. We can see all the plugins with versions as well.

<figure><img src="https://miro.medium.com/v2/resize:fit:1124/1*Hap3DmxS6-1apNj5RfpC3g.png" alt="Cordova Plugins" height="570" width="562"><figcaption><p>Cordva Plugins</p></figcaption></figure>

We need to install all the plugins one by one with the help of the below command

```bash
cd bank-new
cordova plugin add cordova-plugin-dialogs@2.0.1
```

{% hint style="warning" %}
If a plugin isn't available in npm search it on Github:

```bash
cd bank-new
cordova plugin add https://github.com/moderna/cordova-plugin-cache.git
```
{% endhint %}

To compile the application, we need to make sure to have all requirements already installed.

```bash
cd bank-new
cordova requirements
```

Once we have all the setup ready we can build the apk.

```bash
cd bank-new
cordova build android — packageType=apk
```

The above build command will create an apk with debug method enabled which allows us to debug the application using Google Chrome. Before installing the apk make sure to sign the apk. If the application has code tampering detection it will be bypassed unless there is no specific configuration set.

### Automatic Tool

[**MobSecco**](https://github.com/Anof-cyber/MobSecco): A tool that automates the complete process of cloning the Android application.

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>