Security Alert: Apache Cordova vulnerabilities in your Google Play app

  • 10
  • Problem
  • Updated 4 years ago
  • In Progress
I just got this email from Google about all the apps I have published with PhoneGap.

-------
This is a notification that you have multiple apps, listed below, built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.

You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcemen....

Please note, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
---------

I don't use any user login stuff or anything that would be vulnerable, but I do not want my apps taken down!

How do I upgrade to 3.5.1? I am currently using 3.4
Photo of Chris Bechard

Chris Bechard

  • 68 Posts
  • 0 Reply Likes
  • anxious

Posted 6 years ago

  • 10
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
Official Response
Build with 3.5.0 -- Phonegap Android 3.5.0 on Phonegap Build is actually 3.5.1. Proof:
http://phonegap.com/blog/2014/08/07/c...

Alternatively, we have recently released Phonegap 3.6.3 as well.
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
Official Response
I think the way to handle this is to upgrade to 3.6.3.

If Andy is correct and they still reject an app built with 3.5.0 on Build, the question I'm wondering is how they are determining what phonegap version an app is built with. If you build an apk on PGB with 3.5.0, it will be built with 3.5.1 -- however if you unpack the apk the following string will still be in your config.xml:

<preference name="phonegap-version" value="3.5.0" />

However in the cordova.js file you will see:

// Platform: android
// 3.5.1
...
var CORDOVA_JS_BUILD_LABEL = '3.5.1';


Its possible they see the single instance of "3.5.0" and that flags it for them, even though thats not its actual version. Again, building with 3.6.3 will solve this.