Google Play reject Cordova application 'cause contains security vulnerabilities for users

Question

I developed an application on Apache Cordova, I followed all the steps to generate the .apk to upload on Google Play. I tried many times but Google's response is the same:

We rejected APP, package ID com.xxx.app, for violating our dangerous products policy. If you submitted an update, the previous version of your app is still available on Google Play. This app uses software that contains security vulnerabilities for users. Below is the list of vulnerabilities and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK. Vulnerability Apache Cordova: The vulnerabilities were fixed in Apache Cordova v.3.5.1.

I have the latest version of Cordova (5.4.1).

The following will detail the steps that I followed for installation and project development:

• Start the download of Cordova from the console Node.js using the command npm install -g Cordova.
• Install Java: version 1.8.0_65.
• Install Android SDK.
• Add Java and SDK to PATH.
• I downloaded the necessary components of the Android SDK.
• Create the project through the commands. (Cordova create Projectxxxx).
• Add the Android platform.
• I copied my application code in the www folder.
• Add the plugins needed for my project: splashscreen and sqlite.
• I tested the application on the Android emulator and other mobile phones. All good. Runs perfect.

• To create the signed APK file, these are the steps:

  -Cordova build --release android. (This generated the android-release-unsigned.apk on platforms / android / build / outputs / apk).

  -Then, I generated the keystore.

  -After the jarsigner.

  -Finally: zipalign.

• I upload end-app.apk to Google Play.

Another detail that I have is that cordova.js generated version is 4.1.1. But the console version is 5.4.1 (Command: Cordova -version). I did everything by node.js console.

Attemps: I uploaded an APK without js components. Only with cordova.js and it not worked. I installed all over again in a newly installed windows and neither worked.

My version is higher than 3.5.1. I can not find the solution.

Answer 1

The big problem is not just that PLATFORM_VERSION_BUILD_LABEL is wrong, but the default cordova used is ancient ( it was 3.7.1 on mine ). To resolve this you need to install a newer version in the project. You can specify this on the command line, much like npm does.

cordova platform update android@4.1.1

Or you can specify it in your config.xml

<engine name="android" version="4.1.1" />

That may need 'spec' instead of 'version' depending on how current you cordova install is. At this point, they are up to 5.1, and you can use 'latest' instead of a specific version number.

The next headache will be the point of the patch, which locks down network access. I am now getting 404 errors on all my ajax calls to our server. Access was the root of the security problem, so this isn't a big surprise. I am still working on that.

Answer 2

I was trying to solve this problem almost for a week. Solution: There was a cordova.js file within www/lib/cordova folder that doesn't get updated when you update cordova and ionic. Open the file and look for var PLATFORM_VERSION_BUILD_LABEL. If the version is not 4.1.1 at the time of this post, update it with another copy of the file that is somewhere in your main directory.

Answer 3

I had the same problem, I found a previous corodva version in a plugin, in my case was facebook connect; I deleted this plugin and upload again, its work form me. You may search PLATFORM_VERSION_BUILD_LABEL in your project, is posible that some plugin have other cordova version.