Software Archive
Read-only legacy content
17061 Discussions

[RESOLVED] Google Play Store Apache Cordova Vulnerabilities

PaulF_IntelCorp
Employee
2,925 Views

Please upgrade to Intel XDK 3088 or later and build with the new CLI 5.x build options available in that release to resolve this issue. The specific issue addressed by this release is outlined in this Google FAQ > https://support.google.com/faqs/answer/6325474

- - - - original message - - - -

If you receive a message from the Google Play Store similar to the following:

Hello Google Play Developer,

Your app(s) listed at the end of this email utilize a version of Apache Cordova, an open-source mobile development framework, that contains one or more security vulnerabilities.

Please migrate your app(s) to Apache Cordova v.4.1.1 or higher as soon as possible and increment the version number of the upgraded APK. Beginning May 9, 2016, Google Play will block publishing of any new apps or updates that use pre-4.1.1 versions of Apache Cordova.

You should migrate your app to our CLI 5.1.1 build system, in preparation for our upcoming CLI 5.4.1 build system. Our CLI 5.4.1 build system will resolve this problem. We are investigating if it is possible to update our CLI 5.1.1 build system, as well, but cannot promise at this time that our CLI 5.1.1 build system can or will be upgraded to resolve this issue.

Note that Google is not removing or deleting your currently published app from their store; they are stating that you will not be able to publish apps or updates to apps built with less than cordova-android@4.1.1 beginning May 9, 2016. Your existing published versions will remain available in the store after that date, and any updates you apply to your apps before that time will also be available in the store.

The CLI version number does not equal the Apache Cordova version number. For details regarding Intel XDK CLI version numbers and the corresponding Apache Cordova version numbers, please read this FAQ > Why does the Cordova version number not match the Projects tab's Build Settings, the Emulate tab, App Preview and my built app?

---- Additional Notes ----

The transition from CLI 5.1.1 to our upcoming CLI 5.4.1 should be easier than the process of going from CLI 4.1.2 to CLI 5.1.1; however, there is no guarantee that it will be "seamless," every situation is different. The specific plugins you use generally has the most impact on changing the version of CLI, so trying different plugin versions, especially newer versions of featured and third-party plugins is the best place to start, when upgrading your project to a new version of CLI.

The version of cordova-android that will be in the CLI 5.4.1 build system does meet the requirements set by the Google Play store. We hope to do the same for CLI 5.1.1, but there is no guarantee, at this time, that we will be able to do so. We will update the forum as new information becomes available.

To upgrade your project to CLI 5.1.1 open the Build Settings pane on the Projects tab and select the pencil icon next to the Cordova CLI Version field. When you upgrade the CLI version you may be prompted to also upgrade the version of your plugins (especially the core Cordova plugins). In most cases it is best to accept the recommended upgrades to the plugins. Note that most featured and third-party plugins will NOT have a recommended version upgrade; however, after testing you may find that you also need to upgrade some of those plugins. Since each project is unique, there is no hard and fast rule regarding whether you should upgrade every plugin in your project, we recommend that you test your project on real devices before submitting your app to the store.

Details and documentation regarding how to work with the Projects tab, plugins and the plugin management tool can be found in the Intel XDK documentation:

If you are experiencing issues with your upgrade from CLI 4.1.2 to CLI 5.1.1, please see this forum post for possible solutions > https://software.intel.com/en-us/forums/intel-xdk/topic/606371

For details regarding the reason that Google is making this policy change, please see this Google Play FAQ titled "How to fix apps with Apache Cordova vulnerabilities" > https://support.google.com/faqs/answer/6325474

0 Kudos
47 Replies
Rob_Welan
New Contributor I
1,714 Views

Thanks for this post Paul. I was freaking out for a few minutes there...

0 Kudos
Ad
New Contributor III
1,714 Views

Thanks,

P.S. the term CLI 5.1.1 is a little bit confusing knowing that's not using Cordova 5.1.1 (cordova-android@4.1.0, cordova-ios@3.8.0, cordova-windows@4.0.0)

0 Kudos
jesus_c_2
Beginner
1,714 Views

Hola a mi tambien me han enviado el mensage google y mi cordova pluging muestra esto. ¿que puedo hacer? gracias

0 Kudos
Smith__J
Beginner
1,714 Views

So when CLI 5.4.1 comes out (soon I hope!) I just have to rebuild the apks, and resubmit to Google?

0 Kudos
boyo_g_
Beginner
1,714 Views

Thank you we hope that update coming ASAP ,and if you build with CLI 5.4.1 you can update and old up built with CLI 5.1.1 ?

0 Kudos
Mhd_Ghaleb_N_
Beginner
1,714 Views

Hi,
Thank you guys for this information, but it seems that Google is not publishing new apps made by the Intel XDK embedded CrossWalk.
I submitted an app to play store more than 24 hours ago and it is still Pending publication

Ps. my old apps are working despite the warning.

0 Kudos
Ivan_H_
Beginner
1,714 Views

jesus c. wrote:

Hola a mi tambien me han enviado el mensage google y mi cordova pluging muestra esto. ¿que puedo hacer? gracias

Hola!!! Mismo caso, lo que creo es que para antes de Mayo, Intel tendrá una actualización que aumente la version de Cordova, debemos estar al pendiente.

0 Kudos
Ivan_H_
Beginner
1,714 Views

La nueva actualización de intel XDK aun no corrige este problema, ya hice la prueba.

0 Kudos
Ad
New Contributor III
1,714 Views

Mhd Ghaleb N. wrote:
Thank you guys for this information, but it seems that Google is not publishing new apps made by the Intel XDK embedded CrossWalk.
I submitted an app to play store more than 24 hours ago and it is still Pending publication

Usually it's a matter of hours!
We like to publish our first Crosswalk next week, can you give us an update about the publishing status, thanks!

Mhd Ghaleb N. wrote:
Ps. my old apps are working despite the warning.

Info from Google: Beginning May 9, 2016, Google Play will block publishing of any new apps or updates that use pre-4.1.1 versions of Apache Cordova.

0 Kudos
PaulF_IntelCorp
Employee
1,714 Views

Mhd Ghaleb N. wrote:

Hi,
Thank you guys for this information, but it seems that Google is not publishing new apps made by the Intel XDK embedded CrossWalk.
I submitted an app to play store more than 24 hours ago and it is still Pending publication

Ps. my old apps are working despite the warning.

@Ghaleb -- Which version of CLI and Crosswalk are you building with?

The embedded versions of Crosswalk that you build with CLI 4.1.2 use an old version of cordova-android (cordova-android@3.6.3 in most cases and even older for CW7) which is due to the build method used for those versions. The version of cordova-android used when building with Crosswalk 15 and CLI 5.1.1 uses cordova-android@4.1.0 and also uses a newer build method that allows us to update the cordova-android framework.

We recommend that you move to CLI 5.1.1 now so you can prepare for moving to CLI 5.4.1 when it becomes available. CLI 5.4.1 will definitely resolve this issue and it will definitely be available before May 9. Please re-read the original post for full details.

0 Kudos
Mhd_Ghaleb_N_
Beginner
1,714 Views

Ok Guys sorry for the late reply.

My App is still pending publication since  2am 9th Feb.

I am Building with Intel XDK embedded Crosswalk (15) with the Cordova CLI version 5.1.1

I sent an email to google for an explanation and still waiting for a reply.

0 Kudos
PaulF_IntelCorp
Employee
1,714 Views

Thanks for that update, Ghaleb. I'm pushing harder on the engineering team to see if we can the cordova-android framework updated in our CLI 5.1.1 build. Will update as we progress. Please do keep us posted on the reply you get from Google.

0 Kudos
bharat_b_
Beginner
1,714 Views

 

I too had submitted apps with CLI version on 5.1.1 only, so it should't have shown the warning in first place itself.

 

pe2.JPG

 

 

playstore error_0.png

 

0 Kudos
PaulF_IntelCorp
Employee
1,714 Views

Bharat, please read the entire original post, in particular:

The CLI version number does not equal the Apache Cordova version number. For details regarding Intel XDK CLI version numbers and the corresponding Apache Cordova version numbers, please read this FAQ > Why does the Cordova version number not match the Projects tab's Build Settings, the Emulate tab, App Preview and my built app?

0 Kudos
Richard_T_2
Beginner
1,714 Views

Mhd Ghaleb N. wrote:

Ok Guys sorry for the late reply.

My App is still pending publication since  2am 9th Feb.

I am Building with Intel XDK embedded Crosswalk (15) with the Cordova CLI version 5.1.1

I sent an email to google for an explanation and still waiting for a reply.

I just upload my App in Google Play built in Intel XDK Cordova CLI v. 5.1.1

and still waiting how long they'll approved my app. Ill also update here once it's live

0 Kudos
PaulF_IntelCorp
Employee
1,714 Views

Thank you, Richard, please do post here. We do want confirmation that Google is honoring the notice they sent out, which indicates you should be able to publish and update using cordova-android@4.1.0 until May 9th.

0 Kudos
Richard_T_2
Beginner
1,714 Views

Paul F. (Intel) wrote:

Thank you, Richard, please do post here. We do want confirmation that Google is honoring the notice they sent out, which indicates you should be able to publish and update using cordova-android@4.1.0 until May 9th.

It's published now.

 

0 Kudos
PaulF_IntelCorp
Employee
1,714 Views

Great news, Richard!

As I mentioned earlier in this thread, we are investigating whether or not we can updgrade the current CLI 5.1.1 build system so that it uses corova-android@4.1.1 -- if that can be done we'll update the status here. If not, our next major release will include an additional CLI build option that will definitely resolve this issue.

0 Kudos
Mhd_Ghaleb_N_
Beginner
1,714 Views

Hi,

My App is still pending publication, and since Richard's app is published I think my problem is not related to intel XDK or the cordova CLI.

I received the below reply today from Google:

"I appreciate your patience while our team investigates the behavior you experienced. I checked in with our team and they’ve recently made some changes that should fix the problem. With the recent set of changes, please check to see if you’re still experiencing the same issue."

Ps. I know that this is irrelevant but I think the problem is with the content rating I submitted around 5 and still didn't get the IARC Certificate

0 Kudos
Lucas_Mauro_L_
Beginner
1,492 Views

Ninguém fala mais nada aqui? Ninguém responde?

0 Kudos
Reply