Mobilefirst Vulnerable version of Apache Cordova - android

I just recieved a mail from Google play about my MobileFirst 6.3 app: Please migrate your app(s) to Apache Cordova v.4.1.1 or higher as soon as possible.
I have a new version of my app on MobileFirst 7.1, but this new version is only running on Cordova v 3.7.0.
Which version of MobileFirst will be based on v4.1.1 and when can we expect it, if it is not out already? What would be your advised approach, release the app based on cordova 3.7.0 quickly while we still can or wait for cordova 4.1.1 to be included in MobileFirst?
As requested: The following page contains more details about the vulnerabilities:
https://support.google.com/faqs/answer/6325474

No version of Worklight/MobileFirst is supplied with Cordova 4.1.1.
However,
IBM patches the Cordova version shipped in Worklight/MobileFirst with fixes to found vulnerabilities.
For this particular announcement by Google, see here: https://mobilefirstplatform.ibmcloud.com/blog/2016/02/16/ibm-mobilefirst-platform-foundation-responds-to-google-play-store-announcement-of-blocking-apps-using-vulnerable-cordova-versions/
In general:
Ensure that you are using the latest available Worklight/MobileFirst iFix and have the application re-built in order to use the patched Cordova.
See below for more information:
https://mobilefirstplatform.ibmcloud.com/blog/2016/02/24/cve-2015-5256-apache-cordova-vulnerable-to-improper-application-of-whitelist-restrictions-on-android/
https://developer.ibm.com/mobilefirstplatform/2015/12/11/cve-2015-5257cve-2015-8320-weak-randomization-of-bridgesecret-for-apache-cordova-android/
https://developer.ibm.com/mobilefirstplatform/2015/07/30/cve-2015-1835-remote-exploit-in-apache-cordova/
https://developer.ibm.com/mobilefirstplatform/2015/10/08/cve-2015-5204-http-header-injection-vulnerability-in-apache-cordova-android-file-transfer-plugin/

Related

Use of cordova-plugin-whitelist

In my cordova hello world project, When I run:
cordova platforms add android
it automatically adds cordova-plugin-whitelist plugin.
From plugin docs it is only for android platform.
Supported Cordova Platforms
Android 4.0.0 or above
My questions are:
What is the use of this plugin?
Why only android? Why not other platforms?
As you have mentioned, this plugin is meant only for Android as the plugin source code itself supports only Android platform.
This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0 and above. The use of this plugin is that it provides better security and configurability than earlier versions of Cordova. Infact it is possible to create your own whitelist plugin but it is not recommended unless your app has very specific security policy needs.
Also what I noticed while creating a project in iOS is that it does include cordova whitelist plugin in the plugins folder as its automatically included in config.xml
But what I infer from the official documentation of iOS whitelisting is that for cordova-ios version 4.0 and above this plugin is not required but it's configuration details apply to iOS too.
You can check out this official cordova link for more detailed info on whitelisting and its application on various platforms.

Updating salesforce Hybrid cordova app

I am a little new to Salesforce Hybrid Mobile application development.
I have a well running hybrid application.
But recently when uploading the APK to play store, play store gives an error
Your APK has been rejected for containing security vulnerabilities, which violates the Malicious Behavior policy. The Alerts page has more information about how to resolve the issue. If you submitted an update, the previous version of your app is still live on Google Play.
After some analysis I found that my android platform version is 3.6.x which might be the reason for rejection.
So I updated cordova android platform of my existing Salesforce Hybrid app using the following command.
cordova platform update android
After updating the version of android platform is 5.2.2
Salesforce Mobile sdk guide says to reinstall the salesforce plugin
So,
cordova plugin remove com.salesforce
And then
cordova plugin add https://github.com/forcedotcom/SalesforceMobileSDK-CordovaPlugin
But, while re-adding the plugin it gives the following message
Plugin doesn't support this project's cordova-android version. cordova-android: 5.2.2, failed version requirement: 5.0.0
Skipping 'com.salesforce' for android
And again running the project in eclipse gives many errors.
Not able to pin point the specefic issue here.
Any help is appretiated.
Thanks in advance.
You have to update to 5.0.0 instead of 5.2.2 because Salesforce plugin is made to 5.0.0 version.
You can see that in the plugin.xml file, in the engine tag.
<engines>
<engine name="cordova-android" version="5.0.0" />
<engine name="cordova-ios" version="4.2.0" />
</engines>

Google Play Developer Console Showing Alerts Even After Updating the Cordova Version

Google Play is showing Cordova Security Alerts on my app. And they suggested me to update existing cordova version to higher at 4.1.1.
Please migrate your app(s) to Apache Cordova v.4.1.1 or higher as soon
as possible and increment the version number of the upgraded APK. If
you are using a 3rd party library that includes Apache Cordova, please
notify the 3rd party and work with them to address the issue.
I have already upgraded my Cordova version to: 4.2.0 and here is the code:
Mds-MacBook-Pro:BanglaGaanerTaroka Morol$ cordova -v
4.2.0
Mds-MacBook-Pro:BanglaGaanerTaroka Morol$
Google Play Developer console still showing this alert and that affected my latest APK version too.
Is there anyone facing the same issue? Or how to solve it?
Thanks in advance.
First of all, you should understand that there is a cordova CLI version and cordova platform versions.
When google play ask you to update to cordova 4.1.1, he is not asking you to update the CLI to cordova 4.1.1, he is asking you to update the cordova android (platform) version to 4.1.1.
If you update the CLI to 4.2.0 you get cordova android 3.6.4 that is still vulnerable.
So, the first thing you should do is to update the cli to 6.0.0 (latest version right now) with
npm install -g cordova
But updating the CLI isn't enough, you have to update your project too.
Go to your project folder and run
cordova platform update android
That will update your project to Cordova Android: ~5.1.0

Katzer email plugin is not working in Cordova - IOS

I am building a hybrid application using Cordova and I am stuck at an email functionality. I am using Katzer email plugin from here https://github.com/katzer/cordova-plugin-email-composer.
cordova.plugins.email.open({ });
This functionality is working fine on my android device and when I tested it in IOS it's not working at all. No error is throwing from the application.
I am using Cordova version 5.4 and my IOS version is IOS 8.
What is wrong here?. Any help would be greatly appreciated.
Note: Will downgrading the version of Cordova helps?
Cordova iOS 4.0.0 has some significant changes, please read this blogpost from Cordova:
http://cordova.apache.org/announcements/2015/12/08/cordova-ios-4.0.0.html
That means, that you should be careful by using plugins, which are older then 08 Dec 2015.
If you make a downgrade, than you should call
cordova clean
That will cleanup project from build artifacts.

New version of Android Eclipse plugin breaks usage on eclipse 3.4 and below

I just noticed that a new version of the Android Development Toolkit was released.
I also noticed that it dropped support for Eclipse version 3.4 which is what I develop on using Pulse to get my plugins. The update site no longer hosts the older version that did support eclipse 3.4 and below. This means I can no longer use my older version since the metadata was deleted.
Would it be possible to get an update site that supports the older Android Plugin so I can continue using eclipse 3.4 as mandated by my employer?
Cheers
Ray
You can get the older ADT plugins OK, but not the older SDKs. It's not publicised but there are links which work,For example
http://dl.google.com/android/ADT-9.0.0.zip
Versions 10.0.0, 8.0.1, 8.0.0 etc are all available in zip files (just change the URL to the appropriate version number). They're all listed on this page
ADT Plugin for Eclipse

Categories

Resources