Reputation: 2245
Apache Cordova security vulnerability
I've recently uploaded an android app to Google Play and I've got the well known security vulnerability warning Apache Cordova security vulnerability. I'm a bit confused because I'm using Cordova CLI 6.0.0 and Cordova Android 5.1.1. What I'm doing wrong?
Project info:
>cordova platform ls
Installed platforms: android 5.1.1
Available platforms: amazon-fireos, blackberry10, browser, firefoxos, webos, windows, windows8, wp8
>cordova --version
6.0.0
>cordova plugin ls
cordova-plugin-device 1.1.2-dev "Device"
cordova-plugin-dialogs 1.2.1-dev "Notification"
cordova-plugin-file 4.1.2-dev "File"
cordova-plugin-file-transfer 1.5.1-dev "File Transfer"
cordova-plugin-geolocation 2.1.1-dev "Geolocation"
cordova-plugin-globalization 1.0.3-dev "Globalization"
cordova-plugin-inappbrowser 1.3.1-dev "InAppBrowser"
cordova-plugin-network-information 1.2.1-dev "Network Information"
cordova-plugin-splashscreen 3.2.1-dev "Splashscreen"
cordova-plugin-whitelist 1.2.2-dev "Whitelist"
I've tried to add/remove next lines in config.xml
<plugin name="cordova-plugin-whitelist" spec="1" />
<access origin="*" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<allow-intent href="tel:*" />
<allow-intent href="sms:*" />
<allow-intent href="mailto:*" />
<allow-intent href="geo:*" />
<platform name="android">
<allow-intent href="market:*" />
</platform>
I've also tried adding and removing next line in index.html
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
This is the email I received from Google Play Team:
Hello Google Play Developer,
We rejected XXXXXX, package ID XXXXXXX, for violating our Malicious Behavior policy. If you submitted an update, the previous version of your app is still available on Google Play.
This app uses software that contains security vulnerabilities for users.
Below is the list of vulnerabilities and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.
Vulnerability APK Version(s) Apache Cordova The vulnerabilities were fixed in Apache Cordova v.3.5.1.
You can find more information and next steps in this Google Help Center article.
Upvotes: 0
Views: 2084
Answers (2)
Reputation: 2245
As @jcesarmobile said, there are several cordova.js files in the cordova project. I had to update not only the main cordova.js file in www folder but I had to manually update this file in other folders (such as /platform/android/assets/www); then I was able to upload a new version without Security Warnings in Google Play.
Upvotes: 3
Reputation: 371
A long shot - and one not explicitly mentioned by Google although they are looking for XSS exposures - but have you perhaps added an 'unsafe-inline' to the <meta http-equiv="Content-Security-Policy" content="default-src in your index.html to allow inline Jscript to be included?
Upvotes: 0
Related Questions
- How to check cordova android version of a cordova/phonegap project?
- Cordova [Android platform] migration from API 29 to API 30
- Apple will no longer accept submissions of new apps that use UIWebView as of April 30, 2020
- How i can remove android.permission.CAMERA from cordova build?
- Using Cordova 5.3.3 cli for Android but unable to upload apk on Google Play Store?
- ionic : console.log not showing in xcode with cordova 4.1.1
- Cordova splash screen visible while navigation in multipage Android app