[
https://issues.apache.org/jira/browse/CB-7291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14172340#comment-14172340
]
Chris Emerson commented on CB-7291:
-----------------------------------
Anyone able to respond to my previous comment? This is somewhat urgent as I
don't want my app to get flagged/labeled as "dangerous" as gently threatened in
the email I got from Google a few weeks ago (below). I would just update
Cordova to 3.5.1 but my app is now using PhoneGap and I'd rather not risk going
back to Cordova at this point as that normally creates a whole bunch of
plugin/platform issues.
=============================
Subject: Security Alert: Apache Cordova vulnerabilities in your Google
Play app
This is a notification that your com.situational.isitlead, is built on
a version of Apache Cordova that contains security vulnerabilities. This
includes a high severity cross-application scripting (XAS) vulnerability. Under
certain circumstances, vulnerable apps could be remotely exploited to steal
sensitive information, such as user login credentials.
You should upgrade to Apache Cordova 3.5.1 or higher as soon as
possible. For more information about the vulnerabilities, and for guidance on
upgrading Apache Cordova, please see
http://cordova.apache.org/announcements/2014/08/04/android-351.html<http://www.google.com/appserve/mkt/p/4VJWfraOToNVpaGBpBZXXLlLQvvjnCSfTyQgLqZNujeukMviSDbiy1egsxQbTP7QGXlLrEn7Skw1zVTl7vTyiT7_NYpA38y6ZkdNL2FXkdEg6H4=>.
Please note, applications with vulnerabilities that expose users to
risk of compromise may be considered "dangerous products" and subject to
removal from Google Play.
Regards,
Google Play Team
(c)2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043
Email preferences: You have received this mandatory email service
announcement to update you about important issues relating to your Google Play
account.
> Externally-launchable applications should be configurable
> ---------------------------------------------------------
>
> Key: CB-7291
> URL: https://issues.apache.org/jira/browse/CB-7291
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 3.5.0
> Reporter: Ian Clelland
> Assignee: Ian Clelland
> Priority: Blocker
> Fix For: 3.6.0
>
>
> Cordova Android versions up to 3.5.0 would launch any and all external
> applications by URL. Any URL not explicitly whitelisted was sent to the
> Android intent system for handling. This was the cause of the security
> vulnerabilities reported by IBM and disclosed in CVE-2014-3502.
> Cordova Android 3.5.1 was released to fix this, which it did by disabling
> explicit intents, and explaining how to use a plugin to block other URL
> schemes if desired.
> We want to have a better official solution than this, so that developers can
> easily configure which applications (sms, email, maps, etc) should be
> launchable from their Cordova app.
> *Proposal*
> The proposed solution is to maintain a second whitelist within the app, for
> URL patterns which may be used to launch external applications. Then, on URL
> loading, these tests will occur (in order):
> # URLs which are whitelisted internally (existing list) will cause internal
> navigation
> # URLs which are whitelisted externally (new list) will attempt to launch an
> intent to handle it
> # URLs which are not whitelisted at all (in neither list) will be blocked.
> *Configuration*
> URLs can be added to the new (external) whitelist through an extension to the
> {{config.xml}} whitelist syntax:
> {code}
> <access origin="sms:*" launch-external="yes" />
> {code}
> (Any non-empty value for the {{launch-external}} attribute will be considered
> "true" when parsing the {{config.xml}} file)
> *Open questions* (one about forward-thinking security, the other about
> backwards-compatibility):
> # What should the default external whitelist be in the application template
> that we ship? This will be the case for new apps build with 3.6.0.
> # What should the default external whitelist be when there are no {{<access
> launch-external="yes">}} tags in {{config.xml}}? This will be the case for
> apps which are upgrading to 3.6.0.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
