Software Archive
Read-only legacy content
17061 Discussions

[RESOLVED] Google Play Store Apache Cordova Vulnerabilities

PaulF_IntelCorp
Employee
2,931 Views

Please upgrade to Intel XDK 3088 or later and build with the new CLI 5.x build options available in that release to resolve this issue. The specific issue addressed by this release is outlined in this Google FAQ > https://support.google.com/faqs/answer/6325474

- - - - original message - - - -

If you receive a message from the Google Play Store similar to the following:

Hello Google Play Developer,

Your app(s) listed at the end of this email utilize a version of Apache Cordova, an open-source mobile development framework, that contains one or more security vulnerabilities.

Please migrate your app(s) to Apache Cordova v.4.1.1 or higher as soon as possible and increment the version number of the upgraded APK. Beginning May 9, 2016, Google Play will block publishing of any new apps or updates that use pre-4.1.1 versions of Apache Cordova.

You should migrate your app to our CLI 5.1.1 build system, in preparation for our upcoming CLI 5.4.1 build system. Our CLI 5.4.1 build system will resolve this problem. We are investigating if it is possible to update our CLI 5.1.1 build system, as well, but cannot promise at this time that our CLI 5.1.1 build system can or will be upgraded to resolve this issue.

Note that Google is not removing or deleting your currently published app from their store; they are stating that you will not be able to publish apps or updates to apps built with less than cordova-android@4.1.1 beginning May 9, 2016. Your existing published versions will remain available in the store after that date, and any updates you apply to your apps before that time will also be available in the store.

The CLI version number does not equal the Apache Cordova version number. For details regarding Intel XDK CLI version numbers and the corresponding Apache Cordova version numbers, please read this FAQ > Why does the Cordova version number not match the Projects tab's Build Settings, the Emulate tab, App Preview and my built app?

---- Additional Notes ----

The transition from CLI 5.1.1 to our upcoming CLI 5.4.1 should be easier than the process of going from CLI 4.1.2 to CLI 5.1.1; however, there is no guarantee that it will be "seamless," every situation is different. The specific plugins you use generally has the most impact on changing the version of CLI, so trying different plugin versions, especially newer versions of featured and third-party plugins is the best place to start, when upgrading your project to a new version of CLI.

The version of cordova-android that will be in the CLI 5.4.1 build system does meet the requirements set by the Google Play store. We hope to do the same for CLI 5.1.1, but there is no guarantee, at this time, that we will be able to do so. We will update the forum as new information becomes available.

To upgrade your project to CLI 5.1.1 open the Build Settings pane on the Projects tab and select the pencil icon next to the Cordova CLI Version field. When you upgrade the CLI version you may be prompted to also upgrade the version of your plugins (especially the core Cordova plugins). In most cases it is best to accept the recommended upgrades to the plugins. Note that most featured and third-party plugins will NOT have a recommended version upgrade; however, after testing you may find that you also need to upgrade some of those plugins. Since each project is unique, there is no hard and fast rule regarding whether you should upgrade every plugin in your project, we recommend that you test your project on real devices before submitting your app to the store.

Details and documentation regarding how to work with the Projects tab, plugins and the plugin management tool can be found in the Intel XDK documentation:

If you are experiencing issues with your upgrade from CLI 4.1.2 to CLI 5.1.1, please see this forum post for possible solutions > https://software.intel.com/en-us/forums/intel-xdk/topic/606371

For details regarding the reason that Google is making this policy change, please see this Google Play FAQ titled "How to fix apps with Apache Cordova vulnerabilities" > https://support.google.com/faqs/answer/6325474

0 Kudos
47 Replies
Lucas_Mauro_L_
Beginner
963 Views

Mhd Ghaleb N. wrote:

Hi,

My App is still pending publication, and since Richard's app is published I think my problem is not related to intel XDK or the cordova CLI.

I received the below reply today from Google:

"I appreciate your patience while our team investigates the behavior you experienced. I checked in with our team and they’ve recently made some changes that should fix the problem. With the recent set of changes, please check to see if you’re still experiencing the same issue."

Ps. I know that this is irrelevant but I think the problem is with the content rating I submitted around 5 and still didn't get the IARC Certificate

 

What is the support page or email where you sent your question?
0 Kudos
Mhd_Ghaleb_N_
Beginner
963 Views

Lucas Mauro L. wrote:

What is the support page or email where you sent your question?

In the developer console on the right top corner you can see a button with a question mark click it and then click send Email or contact:

googleplay-developer@google.com

0 Kudos
Lucas_Mauro_L_
Beginner
963 Views

Mhd Ghaleb N. wrote:

Quote:

Lucas Mauro L. wrote:

 

What is the support page or email where you sent your question?

 

 

In the developer console on the right top corner you can see a button with a question mark click it and then click send Email or contact:

googleplay-developer@google.com

 

THANKS MAN

0 Kudos
Lucas_Mauro_L_
Beginner
963 Views

someone managed to solve? Can you help me?

0 Kudos
Smith__J
Beginner
963 Views

Has anyone had problems with this, publishing on Apple? (I don't have an Apple developer account yet, and don't want to give them $100 if I can't publish)

0 Kudos
Joao_Sergio_da_Silva
963 Views

I received the same message from Google and got a little worried. More calm now that I know Intel is working hard to solve it before Google blocks our apps

0 Kudos
PaulF_IntelCorp
Employee
963 Views

@JS -- this issue is specific to publishing Android apps in the Google Play store, it has nothing to do with publishing apps to the Apple Store.

0 Kudos
Tadeu_r_
Beginner
963 Views

Capturar.JPG

I just sent another app, CLI 5.1. still it works fine, but i still got the warning from google

0 Kudos
James_F_2
Beginner
963 Views

I clicked the pencil icon and the highest one is CLI 5.1.1

What does Google mean by update Cordova?  How will we know when we can recompile and update the new APKs?  Like, how will we know when we are able to use XDX to recompile and export with the update Cordova that Google is asking for?

0 Kudos
James_F_2
Beginner
963 Views

Joao Sergio da Silva Costs wrote:

I received the same message from Google and got a little worried. More calm now that I know Intel is working hard to solve it before Google blocks our apps

Same here.  My concern is, how will we know when the new Cordova is ready? I know that we will have to recompile and export update .apks.  That's fine.  New version of Cordova, new recompile and new export as an updated .apk.

But how will we know when XDX has the updated Cordova? Will Google kick our apps off of the store?

When XDX has the new version of Cordova that Google says is needed, will XDX update automatically when we launch it, after the XDX update has dropped?  How will we know that it's been updated to the latest version of Cordova, so we know that we are able to recompile and export the .apk with the latest version of Cordova?

0 Kudos
Josef_J_
Beginner
963 Views

James F. wrote:

Quote:

Joao Sergio da Silva Costs wrote:

 

I received the same message from Google and got a little worried. More calm now that I know Intel is working hard to solve it before Google blocks our apps

 

 

Same here.  My concern is, how will we know when the new Cordova is ready? I know that we will have to recompile and export update .apks.  That's fine.  New version of Cordova, new recompile and new export as an updated .apk.

But how will we know when XDX has the updated Cordova? Will Google kick our apps off of the store?

When XDX has the new version of Cordova that Google says is needed, will XDX update automatically when we launch it, after the XDX update has dropped?  How will we know that it's been updated to the latest version of Cordova, so we know that we are able to recompile and export the .apk with the latest version of Cordova?

1- Read this article 

here is the link  -- > https://support.google.com/faqs/answer/6325474

Google will NOT remove your app , the only thing is , you won't be able to update the app if the update includes the cordova version with the vulnerabilities ,

"Beginning May 9, 2016, Google Play will block publishing of any new apps or updates that use pre-4.1.1 versions of Apache Cordova."

2- when there is a new update , you will receive a notification when you start the software and you can check what's new in the realease here -->

https://software.intel.com/en-us/xdk/docs/release-notes-information-intel-xdk

0 Kudos
PaulF_IntelCorp
Employee
963 Views

Thank you, Josef.

To reiterate what Josef pointed out:

  • you are receiving a warning from Google regarding updates and new apps that will be published after May 9 of this year
  • Google will not remove existing published apps from the store that use less than cordova-android@4.1.1
  • CLI 5.1.1 does not equal cordova-android@4.1.1 (read the original post and follow the links provided there)
  • the next major XDK release will include support for cordova-android@4.1.1 (and higher)
  • that new build system will be available well before May 9, 2016

Please read the original post AND the entire thread AND follow the links provided in the original post!!

0 Kudos
James_F_2
Beginner
963 Views

Paul F. (Intel) wrote:

Thank you, Josef.

To reiterate what Josef pointed out:

  • you are receiving a warning from Google regarding updates and new apps that will be published after May 9 of this year
  • Google will not remove existing published apps from the store that use less than cordova-android@4.1.1
  • CLI 5.1.1 does not equal cordova-android@4.1.1 (read the original post and follow the links provided there)
  • the next major XDK release will include support for cordova-android@4.1.1 (and higher)
  • that new build system will be available well before May 9, 2016

Please read the original post AND the entire thread AND follow the links provided in the original post!!



Thank you kindly, Paul and Josef, for the information.  I appreciate Intel staying on top of this matter. : )

0 Kudos
PaulF_IntelCorp
Employee
963 Views

Hi,

Is there an article whereby explains the step by step process of of submitting newly build versions of our apk files to google play developer console?

In the build settings, what needs to be changed to represents the new version?

Do we need to deactivate the old versions in google play console for both apk files before submitting the new versions?

Thanks

Just increase the version code appropriately to add newer versions in the Google Play store.

0 Kudos
Luiz_G_
Beginner
963 Views

 I hope that will be solved by Intel soon.

0 Kudos
Avihay_H_
Beginner
963 Views

Hi, any news with the new Intel XDK version? I need to upload new versions and I can't because of this CLI thing... when the new version is going to be available?

0 Kudos
Dione_Batista
Beginner
963 Views
thanks man, this help me
0 Kudos
Leonidas_S_
New Contributor I
963 Views

How understand that 5.4.1 is ok to use... ? Just change version Cordova and if not got error, is OK? Is it available the 5.4.1 Cordova in XDK?

0 Kudos
Javier_del_A_
Beginner
963 Views

Good morning classmate. We have new news on the implementation of Cordova Plugin Intel-compatible with the requirements of Google?

We know an approximate date of the new release of the new version of Intel? When is the hope? In March we will have?

I am very happy with the team's work and at the same time Intel User I am faithful to the team. But I have several apps stops this little problem and I would like to put in the google shop as soon as possible. So we appreciate if you could give an approximate release date of New Intel. See if for the month of March we start all work hard. Thank you so much.

I know it's complicated and they are doing everything possible. Things have to be done right, and that takes time.

Only I wonder if we could have the new version of Intel XDK for this month. It would be interesting to know.

Thanks again and good luck to the team of Intel, since they are working hard with this.

0 Kudos
Pamela_H_Intel
Moderator
875 Views

Avihay and Javier - the warning will not stop your app from being accepted into the Play store, nor will it make apps already in the Play store fail. It is only a warning  

It is against Intel policy to announce dates. I can only say that the new XDK version will be released very soon.

Leonidas - 5.4.1 is not yet implemented in the XDK. It will be very soon.

0 Kudos
Smith__J
Beginner
875 Views

I just got this notice on all my XDK apps on Google Play: "One or more of your apps were rejected for violation of Google Play policies. Once you address the issues you can resubmit your apps."

They appear to still be available in the Google Play store. One question, will I HAVE TO update these before May, and resubmit? Besides this issue, I have no reason to update, and I think I have at least 20 apps up.

0 Kudos
Reply