GOOGLE PLAY STORE REJECTS CORDOVA ANDROID APP DUE TO VULNERABILITY ISSUE

[mrscb...@gmail.com]

I tried 3 times to publish new update of my cordova android app in google playstore. Every time google rejects the new build and telling that there are vulnerabilities in cordova version 3.5.1, so update to the latest version and publish again. But my cordova cli version is 5.1.1 and android platform version is 4.0.2. How can I fix it???

[Jesse Monroy]

@mrscb,
Please do not YELL WHEN POSTING THE SUBJECT LINE to your issue.
Next, thank you for the images with very small print that is difficult to read.

The message from GOOGLE is deceptive because it says you should read "for guidance on upgrading". Infact, Google wants you to take some action that is in the link they gave you.

The link is an announcement, which has three security issues:
https://cordova.apache.org/announcements/2014/08/04/android-351.html

1. CVE-2014-3500: Cordova cross-application scripting via Android intent URLs
2. CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs
3. CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL loading

They all have one thing in common: a URL can be used to create a security issue.

This means you have a hyperlink (or a network action) somewhere in your system that can be used to make your app insecure, and possibly used to attack other systems.

On this, a second announcement by Cordova adds some information
https://cordova.apache.org/announcements/2014/08/06/android-351-update.html

The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldn't load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to "phone home" with the user's data.

Exactly what the problem is difficult to say without look at your code. If you want help, be prepared to make your code publicly available for viewing.

Best of Luck
Jesse

[jcesarmobile]

probably the old files of the app stayed after updating your cordova version, try removing android platform and adding it again

[Kaan Soral]

I strangely found the use of CAPS to be appropriate, I generally glance at the daily abridges summary, this wouldn't have piqued my interest otherwise

With this said, I agree with jceasermobile's assessment, either that, or if google is searching for "5.1" from the version, both "3.5.1" and "5.1.1" might be triggering that alert :D

Either that, 

[Jesse Monroy]

You might be living on a different planet. ALL CAPS is not appropriate.

Jesse

[mrscb...@gmail.com]

Thank you all for your help,

My issue is solved. I had an old cordova.js in my project directory, which was kept unused. I deleted it and published after rebuilding. Now google accepted the update.