Apache Cordova security vulnerability

Question

I've recently uploaded an android app to Google Play and I've got the well known security vulnerability warning Apache Cordova security vulnerability. I'm a bit confused because I'm using Cordova CLI 6.0.0 and Cordova Android 5.1.1. What I'm doing wrong?

Project info:

>cordova platform ls
Installed platforms: android 5.1.1
Available platforms: amazon-fireos, blackberry10, browser, firefoxos, webos, windows, windows8, wp8

>cordova --version
6.0.0

>cordova plugin ls
cordova-plugin-device 1.1.2-dev "Device"
cordova-plugin-dialogs 1.2.1-dev "Notification"
cordova-plugin-file 4.1.2-dev "File"
cordova-plugin-file-transfer 1.5.1-dev "File Transfer"
cordova-plugin-geolocation 2.1.1-dev "Geolocation"
cordova-plugin-globalization 1.0.3-dev "Globalization"
cordova-plugin-inappbrowser 1.3.1-dev "InAppBrowser"
cordova-plugin-network-information 1.2.1-dev "Network Information"
cordova-plugin-splashscreen 3.2.1-dev "Splashscreen"
cordova-plugin-whitelist 1.2.2-dev "Whitelist"

I've tried to add/remove next lines in config.xml

<plugin name="cordova-plugin-whitelist" spec="1" />
<access origin="*" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<allow-intent href="tel:*" />
<allow-intent href="sms:*" />
<allow-intent href="mailto:*" />
<allow-intent href="geo:*" />
<platform name="android">
    <allow-intent href="market:*" />
</platform>

I've also tried adding and removing next line in index.html

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

This is the email I received from Google Play Team:

Hello Google Play Developer,

We rejected XXXXXX, package ID XXXXXXX, for violating our Malicious Behavior policy. If you submitted an update, the previous version of your app is still available on Google Play.

This app uses software that contains security vulnerabilities for users.

Below is the list of vulnerabilities and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.

Vulnerability APK Version(s) Apache Cordova The vulnerabilities were fixed in Apache Cordova v.3.5.1.

You can find more information and next steps in this Google Help Center article.

search your project for old cordova.js files – jcesarmobile Mar 15 '16 at 13:40 — jcesarmobile, Mar 15 '16 at 13:40

score 3 · Accepted Answer · answered Mar 17 '16 at 15:14

As @jcesarmobile said, there are several cordova.js files in the cordova project. I had to update not only the main cordova.js file in www folder but I had to manually update this file in other folders (such as /platform/android/assets/www); then I was able to upload a new version without Security Warnings in Google Play.

score 0 · Answer 2 · answered Mar 10 '16 at 08:46

0

A long shot - and one not explicitly mentioned by Google although they are looking for XSS exposures - but have you perhaps added an 'unsafe-inline' to the <meta http-equiv="Content-Security-Policy" content="default-src in your index.html to allow inline Jscript to be included?

answered Mar 10 '16 at 08:46

decomplexity

343
2
4
13

No. I haven't used any security policy in my index.html – acimutal Mar 10 '16 at 10:06

Apache Cordova security vulnerability

2 Answers2