Security bug in Cordova 3.5.1

3 posts, 0 answers
  1. David Amm
    David Amm avatar
    7 posts
    Member since:
    Mar 2009

    Posted 02 Jun 2015 Link to this post

    Our AppBuilder app for Android is running Cordova 3.5.1. Apparently this is susceptible to attack (http://www.techworm.net/2015/06/security-bug-in-cordova-allows-a-single-url-click-to-tamper-android-apps.html) and I should upgrade to Cordova 3.7.2 (or 4.0.2).

    1. Is this a credible threat right now?

    2. Is Cordova 3.7.2 supported in the latest version of AppBuilder?

    3. Is the upgrade path from 3.5.1 to 3.7.2 straight forward or complex?

    David

     

  2. David Amm
    David Amm avatar
    7 posts
    Member since:
    Mar 2009

    Posted 02 Jun 2015 in reply to David Amm Link to this post

    We've updated our project and the version of Cordova. Unfortunately it only goes to 3.7.1 on Android (labelled experimental!). So the security weakness is still with us.
  3. Kaloyan
    Admin
    Kaloyan avatar
    872 posts

    Posted 05 Jun 2015 Link to this post

    Hello David,

    Thank you for contacting us.

    Now, straight to your concerns:

    1. Is this a credible threat right now?

    I believe yes. The security bug is real and I won't be surprised if Google decide to reject applications developed with Cordova versions prior to 3.7.2 in the future.

    2. Is Cordova 3.7.2 supported in the latest version of AppBuilder?

    Currently, the latest Cordova version for Android, supported in AppBuilder is Cordova 3.7.1. The good news however, is that with the upcoming AppBuilder 2.10 release (next week) we will introduce Cordova 3.7.2 and Cordova 4.0.2. What we plan to do is to change the current Cordova 3.7.1 with Cordova 3.7.2 and add one more experimental version (4.0.2) for the Crosswalk compatibility. I think this also answers your question from the last post.

    3. Is the upgrade path from 3.5.1 to 3.7.2 straight forward or complex

    To upgrade the Cordova version of your AppBuilder project you only need to change it from the drop-down in the project's properties. We handle everything else, automatically on the server. However, it is important that you test the functionality of the application after upgrading, as it is possible for issues or certain defects to arise.

    Further, after the upcoming AppBuilder 2.10 release, Cordova 3.7.2 will still be marked as experimental. Nevertheless, this only means that it haven't been extensively tested on our side. In other words, if issues occur with an experimental version, we will be happy to know about them and will also try to address such as soon as possible. The experimental tag of the upcoming Cordova 3.7.2 should be removed in the AppBuilder 2.11 release, scheduled for July. I hope this helps.

    Regards,
    Kaloyan
    Telerik
     

    Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.

     
Back to Top