Google Play store notification mail addressing Cordova security vulnerability

4 posts, 0 answers
  1. Tina
    Tina avatar
    4 posts
    Member since:
    Jul 2012

    Posted 02 Oct 2014 Link to this post

    If you have published an app in the Google Play store, you might receive the following email from Google.

       "This is a notification that your <App ID>, is built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.

       You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcements/2014/08/04/android-351.html.

       Please note, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

    Regards,
    Google Play Team"


    AppBuilder 2.5
    introduced support for Apache Cordova 3.5.1 for Android. To address the notification from Google, you need to rebuild your app to target Apache Cordova 3.5.1. In order to do so, you can follow these steps:
    1. Open the Project Properties and navigate to the General tab
    2. If your app does not target Apache Cordova 3.5.0 change the target Cordova version to 3.5.0 (Android 3.5.1).
    3. If your app targets Apache Cordova 3.5.0, your  project is already configured to target Apache Cordova 3.5.1 server-side. To configure cordova.android.js to properly show the correct Cordova version you will, however, need to manually update the target Cordova version of your project:
      • change the target Cordova version to 3.2.0 and save the changes
      • change the target Cordova version to 3.5.0 (Android 3.5.1) and save the changes again
    4. Run the Publish wizard to rebuild the APK.
    5. Resubmit the APK to Google Play.
  2. Ken
    Ken avatar
    4 posts
    Member since:
    Mar 2011

    Posted 03 Oct 2014 Link to this post

    Our app is publish with Cordova Version 3.5.0 (Android 3.5.1).
    But, we still receive Security Alert email from Google Play. Do we need to make
    any change or we can ignore it?

     

    Further, what changes we need to make in cordova.android.js
    file?

  3. Patrick
    Patrick avatar
    6 posts
    Member since:
    Jan 2013

    Posted 08 Oct 2014 Link to this post

    I have the same problem. App is published with Cordova Version 3.5.0 (Android 3.5.1), but I still receive the security alert.

    What should I do?
  4. Tina Stancheva
    Admin
    Tina Stancheva avatar
    3298 posts

    Posted 08 Oct 2014 Link to this post

    Hi guys,

    Since your app targets Apache Cordova 3.5.0, your  project is already configured to target Apache Cordova 3.5.1 server-side. To configure cordova.android.js to properly show the correct Cordova version you will, however, need to manually update the target Cordova version of your project. So please go ahead and
    1. Open the Project Properties and navigate to the General tab
    2. Change the target Cordova version to 3.2.0
    3. Save the changes
    4. Change the target Cordova version to 3.5.0 (Android 3.5.1)
    5. Save the changes
    6. Open the cordova.android.js file and make sure that the CORDOVA_JS_BUILD_LABEL value is 3.5.1.
    7. Run the Publish wizard to rebuild the APK.
    8. Resubmit the APK to Google Play.

    Let us know if you still have issues after executing the above steps.

    Regards,
    Tina Stancheva
    Telerik
     

    Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.

     
Back to Top