Rejected App for Apache Cordova Security Issue

  • 2
  • Problem
  • Updated 4 years ago
  • Solved
Google Play Store rejected my app for "violating our dangerous products policy". I tried 3 times to publish new update doing changes.
Every time google rejects the new build and telling that there are vulnerabilities in cordova version 3.5.1, so update to the latest version and publish again. But my phonegap-version is cli-5.2.0. I use whitelist-plugin and meta tag content-security-police in all html files. I build the app with PhoneGap Build and works great on the phone.
How can I fix it???
Photo of Finn Cappe

Finn Cappe

  • 8 Posts
  • 0 Reply Likes
  • frustrated

Posted 5 years ago

  • 2
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
hmmm. Please post the whitelist section of your config.xml and your CSP. Please use some HTML (see attached image) You may need to make it less open than it is. We have not had a lot of feedback from Google Play on this.

TIA
Jesse
Photo of Finn Cappe

Finn Cappe

  • 8 Posts
  • 0 Reply Likes
The whitelist section of config.xml

<access origin="http://www.myweb.es"/> /*where are my php files*/
<allow-navigation href="*" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<allow-intent href="mailto:*" />
<allow-navigation href="data:*" />
<allow-navigation href="file:*" />

And the meta tag in all files:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src * 'unsafe-inline' 'self' http://*.googleapis.com https://*.googleapis.com; script-src 'self' 'unsafe-inline'">
Photo of Finn Cappe

Finn Cappe

  • 8 Posts
  • 0 Reply Likes
I tried to make it less open with
<meta http-equiv="Content-Security-Policy" content="default-src 'self' http://www.myweb.es; style-src * 'unsafe-inline' 'self' http://*.googleapis.com https://*.googleapis.com; script-src 'self' 'unsafe-inline'">
But it was rejected again with the same answer
Photo of Finn Cappe

Finn Cappe

  • 8 Posts
  • 0 Reply Likes
I solved the problem. In previous local compilation without PhoneGap Build I included the file cordova.js v2.9.1.
I didn ́t use this file, I didn ́t have any link to this file (I forgot it was there). I suposed Google automatically find the archive with this version and reject the app.
Thanks for your help and sorry for the inconvenience.
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
Yes, that is exactly it. Google checks to see if you have applied Cordova.js that has a version that is better than 3.5.1.

To be clear, 3.7.0 is okay, but not 3.5.1.

Glad you solved it.
Photo of Gaurav Mangal

Gaurav Mangal

  • 26 Posts
  • 0 Reply Likes





EmailManager

A sample Apache Cordova application that responds to the deviceready event.

Apache Cordova Team
Photo of Gaurav Mangal

Gaurav Mangal

  • 26 Posts
  • 0 Reply Likes





EmailManager

A sample Apache Cordova application that responds to the deviceready event.

Apache Cordova Team