Security Alert: Apache Cordova vulnerabilities in your Google Play app

  • 10
  • Problem
  • Updated 4 years ago
  • In Progress
I just got this email from Google about all the apps I have published with PhoneGap.

-------
This is a notification that you have multiple apps, listed below, built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.

You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcemen....

Please note, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
---------

I don't use any user login stuff or anything that would be vulnerable, but I do not want my apps taken down!

How do I upgrade to 3.5.1? I am currently using 3.4
Photo of Chris Bechard

Chris Bechard

  • 68 Posts
  • 0 Reply Likes
  • anxious

Posted 6 years ago

  • 10
Photo of Pavel Sarwar

Pavel Sarwar

  • 8 Posts
  • 0 Reply Likes
i used (cli-5.2.0) this, but alerts is available still.
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
What kind of 'alerts'?
Are you referring to the Google message, saying that you should update to Apache Cordova 3.5.1 or higher?
Photo of Pavel Sarwar

Pavel Sarwar

  • 8 Posts
  • 0 Reply Likes
yes. Google msg about should update to Apache Cordova 3.5.1 or higher?
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
Is your zip file available online somewhere? If so, please post its url and I'll be happy to have a look.
Photo of Pavel Sarwar

Pavel Sarwar

  • 8 Posts
  • 0 Reply Likes
https://github.com/pavelsarwar/amar_g...

this is my app file. i change in xml
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
OK.
The version seems correct.

I would suggest:
- you add the cordova-plugin-whitelist, otherwise your access rules don't take effect on Android
- you change android-minSdkVersion to at least '14'
- you add icons and splashes for xxhdpi and xxxhdpi

Not sure if that helps in this case, but these changes are strongly recommended, anyway.

If you rebuild, make sure to have Hydration switched off!
Photo of Pavel Sarwar

Pavel Sarwar

  • 8 Posts
  • 0 Reply Likes
I am not good in developing.
where i am using cordova-plugin-whitelist? and how?
how can i change change android-minSdkVersion to at least '14' ? and where
size of icons and splashes for xxhdpi and xxxhdpi? by px
where is Hydration switche?
Photo of Pavel Sarwar

Pavel Sarwar

  • 8 Posts
  • 0 Reply Likes
how can i change change android-minSdkVersion to at least '14' ? and where
size of icons and splashes for xxhdpi and xxxhdpi? by px

got it.
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
Oh Dear!
You may want to read the Phonegap Build Docs, first.

1. include cordova-plugin-whitelist from npm in your config.xml. See the Configuring section of the PGB Docs

2. change the android-minSdkVersion in your config.xml, where you have the value '7' now

3. The correct dimensions for xxhdpi and xxxhdpi can easily be googled. You will find for instance
- XXHDPI
- Portrait: 960x1600px
- Landscape: 1600x960px
- XXXHDPI
- Portrait: 1280x1920px
- Landscape: 1920x1280px

For Android, you may also want to use a 9-patch image instead.
See http://radleymarx.com/blog/simple-gui...

4. The Hydration switch is on the Settings page of your app's PGB web page.
Photo of Pavel Sarwar

Pavel Sarwar

  • 8 Posts
  • 0 Reply Likes
Hydration switch enable or disable?
that means click or not?

all are solved without cordova-plugin-whitelist
Photo of Pavel Sarwar

Pavel Sarwar

  • 8 Posts
  • 0 Reply Likes
r you saying me using those codes on config.xml file.

engines
engine name="cordova-android" version=">=4.0.0"
engines

plugin name="cordova-plugin-whitelist"
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
The latter, yes.
Don't use the engines element, though.
Photo of Piotr Karpiński

Piotr Karpiński

  • 1 Post
  • 0 Reply Likes
After 3 days of trying to publish the APK (tried both command line and PGB) i found reason why Google rejects my application suggesting pre-3.5.1 version.

So my problem was, that in my /js folder there were old unused legacy cordova.js file @2.9.0 version. Although unused, this file was the reason to reject my app.