Hi Eric, I also build an app at Como.com and received the same message as displayed on this forum.
Security alert This app is built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials. You should upgrade to Apache Cordova v3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova. Please note, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play. I contacted them and they said they will take care of this, but I think that Google Play support should be sending this message to them too, so they could take measures. I am just a customer and I think that they should be warned about this fact, 'cause I was surprised to receive this message! Also one thing, when downloading this app on your store it seems that there is a request for permission towards my future customers on acquiring pictures and all info available on this persons phone. Is that alright? Is that normal? Why the need for acquiring my customers information?? Sincerely, Max. On Wednesday, October 1, 2014 5:24:54 PM UTC-4, Campbell Moss wrote: > > The company I work for develops apps based on Apache Cordova. We recently > started receiving the following email: > > *From:* Google Play Developer Support [ > mailto:[email protected] <javascript:>] > *Sent:* Wednesday, October 01, 2014 11:49 AM > *To:* > *Subject:* Security Alert: Apache Cordova vulnerabilities in your Google > Play app > > *Sent:* Wednesday, October 01, 2014 11:49 AM > > *To:* > > *Subject:* Security Alert: Apache Cordova vulnerabilities in your Google > Play app > > This is a notification that your com.x.tablet, is built on a version of > Apache Cordova that contains security vulnerabilities. This includes a high > severity cross-application scripting (XAS) vulnerability. Under certain > circumstances, vulnerable apps could be remotely exploited to steal > sensitive information, such as user login credentials. > > *You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible.* > For more information about the vulnerabilities, and for guidance on > upgrading Apache Cordova, please see > http://cordova.apache.org/announcements/2014/08/04/android-351.html > <http://www.google.com/appserve/mkt/p/KmKdvQON6CTeZllUj7WYD83Vn9mvaw8PPuE7s-iye9mMdMg4vanAFar-c-4del1W5NMHLsvG9v08xwXupuZE5UFefpQMCEV-U7lC2BbIRTZlfP5k> > . > > *Please note, applications with vulnerabilities that expose users to risk > of compromise may be considered “dangerous products” and subject to removal > from Google Play.* > > Regards, > > Google Play Team > > > We were aware of this vulnerability, and during our investigation have > determined that our apps are not vulnerable as they don't use the intent > filter that permits the exploit. > > My question is, will Google be removing all apps that use older versions > of Cordova from Google Play? > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
