Vulnerability in Cordova below version 4.1.1.

5 posts, 0 answers
  1. Carlos
    Carlos avatar
    69 posts
    Member since:
    Jun 2011

    Posted 09 Feb Link to this post

     

     

    Hello, 

    I submitted a Support ticket about this too, but we need an answer ASAP. 

    We received an email about a vulnerability in the Cordova version below 4.1.1.

    There seems to be an issue with this in Telerik Appbuilder, because in our IDE, we only have options for 4.0 and 5.0 (Experimental). Nothing for 4.1.1 (See attached image).  And we don't want to upgrade the Cordova version to 5.0 because it is in an "Experimental" state.
     
    Please advise on how to remedy this issue ASAP.
    We have many users using our app and we do not want a vulnerability jeopardizing our customer.

    See below for the email we received from Google.

     

     ===============================

    Hello Google Play Developer,

    Your app(s) listed at the end of this email utilize a version of Apache Cordova, an open-source mobile development framework, that contains one or more security vulnerabilities. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.
    Please migrate your app(s) to Apache Cordova v.4.1.1 or higher as soon as possible and increment the version number of the upgraded APK. Beginning May 9, 2016, Google Play will block publishing of any new apps or updates that use pre-4.1.1 versions of Apache Cordova.
    The vulnerabilities were addressed in Apache Cordova 4.1.1. If you’re using a 3rd party library that bundles Apache Cordova, you’ll need to upgrade it to a version that bundles Apache Cordova 4.1.1 or later.
    To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.
    For information about the vulnerabilities, please see this Google Help Center article. For other technical questions, you can post to Stack Overflow and use the tag “android-security.”
    While these specific issues may not affect every app that uses Apache Cordova, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered Dangerous Products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
    Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

    Regards,

    The Google Play Team
    ©2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
    Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.

    =====================================
  2. Arif
    Arif avatar
    3 posts
    Member since:
    Sep 2014

    Posted 10 Feb Link to this post

    We are also wondering about this - we got the same email from Google
  3. Kaloyan
    Admin
    Kaloyan avatar
    872 posts

    Posted 12 Feb Link to this post

    Hi guys,

    Please check this forum thread on the same issue and let us know if you have any feedback about the action plan there.

    I hope this answers your questions.

    Regards,
    Kaloyan
    Telerik
     

    Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.

     
  4. Jim
    Jim avatar
    13 posts
    Member since:
    Jan 2015

    Posted 29 Mar in reply to Kaloyan Link to this post

    Is this officially resolved now? I see that the Cordova version selection now has Android 4.1.1 listed.

    4.0.0 (Android 4.1.1, iOS 3.8.0 WP 3.8.0-2)

    Given the importance and visibility of this issue, I was expecting an announcement from Telerik when the solution was officially available. 

     

  5. Kaloyan
    Admin
    Kaloyan avatar
    872 posts

    Posted 30 Mar Link to this post

    Hi Jim,

    Thank you for sharing this with the community.

    Indeed, Cordova for Android 4.1.1 is now released in the AppBuilder Cordova 4.0.0 set and you can migrate to it in order for your applications to meet the requirements from Google.

    We plan to officially announce this with our upcoming release, scheduled for the beginning of April.

    Please, let us know if you experience any issues with the new Cordova version across your applications so that we can react in timely manner.

    Regards,
    Kaloyan
    Telerik
     

    Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.

     
Back to Top