How to fix apps with Apache Cordova vulnerabilities

This information is intended for developers of apps that utilize any version of Apache Cordova that precedes 4.1.1. These versions contain security vulnerabilities and are in violation of the Dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement.  

Please migrate your app(s) to Apache Cordova v.4.1.1 or higher as soon as possible and increment the version number of the upgraded APK. If you are using a 3rd party library that includes Apache Cordova, please notify the 3rd party and work with them to address the issue.

What’s happening

Beginning July 11, 2016, Google Play started to block the publishing of any new apps or updates that use pre-4.1.1 versions of Apache Cordova. Please refer to the notice on your Play ConsoleAfter the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.

Action required​

  1. Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
  2. Update your affected apps and fix the vulnerability.
  3. Submit the updated versions of your affected apps.

Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.

Additional details

  • CVE-2015-5256; applies to pre-4.1.1 versions of Apache Cordova. These versions are vulnerable to improper application of whitelist restrictions on Android. This results in a vulnerability where whitelist restrictions are not properly applied. Improperly crafted URIs could be used to circumvent the whitelist, allowing for the execution of non-whitelisted Javascript. 
  • CVE-2015-1835; applies to pre-4.0.2 versions of Apache Cordova. These versions are vulnerable to remote exploit of secondary configuration variables in Apache Cordova on Android. Affected apps that don't have explicit values set in Config.xml can have undefined configuration variables set by Intent. This can cause unwanted dialogs appearing in applications and changes in the application behavior that can include the app force-closing. 
  • CVE-2014-3502; applies to pre-3.5.1 versions of Apache Cordova. Vulnerabilities include a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, susceptible apps could be remotely exploited to steal sensitive information, such as user login credentials. 

Upgrading and technical questions
For help upgrading, please see the Apache Cordova website. If you have other technical questions about Apache Cordova, please post to https://www.stackoverflow.com/questions and use the tags “android-security” and “cordova.”

Note: while these issues may not affect every app that uses Apache Cordova versions prior to 4.1.1, it’s best to stay up to date on all security patches. Please take this time to update apps that have out-of-date dependent libraries or other vulnerabilities.

Before publishing apps, please ensure they are compliant with the Developer Distribution Agreement and Content Policy

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Was this article helpful?
How can we improve it?