[jira] [Commented] (CB-13648) Cordova Android Security Concern? What is the correct workflow for apps with this issue? (see description)

[Joe Bowser (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CB-13648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16295756#comment-16295756
 ] 

Joe Bowser commented on CB-13648:
---------------------------------

Well, this is a complicated issue for many reasons.

1. Devices that were no longer supported after Heartbleed hit would still be 
vulnerable to this, so anything that was EOLed in 2014 is affected.
2. Google System WebView became an installable component back in Android 5.0, 
so installing the latest WebView is the best solution to work around this issue 
for Cordova
3. The reason you have to buy a new device once an OEM stops supporting it IS 
these sorts of vulnerabilities.

There are third-party plugins that use a different method for loading SSL 
content into a WebView, but I have no idea what the performance hit is, nor do 
I know whether it's even worth it, since this would be a small subset of our 
currently supported users.  Honestly, this just seems like a really good 
argument for dropping support for Android 4.4 devices than it is anything else.

> Cordova Android Security Concern? What is the correct workflow for apps with 
> this issue? (see description)
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: CB-13648
>                 URL: https://issues.apache.org/jira/browse/CB-13648
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-android
>            Reporter: Abhishek Joshi
>            Assignee: Joe Bowser
>
> https://developer.android.com/training/articles/security-gms-provider.html
> 1) Is this bug discussed above a concern with Cordova apps out of the Box 
> (near helloworld level of apps), since Cordova runs off Webviews?
> 2) If this bug is a concern, what should the correct workaround be? Do I need 
> to create my own plugin to manage this? Is there a solution?
> 3) Any comments?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org