Google Play Store incorrectly flagging Worklight apps
Michael Billau 270004RUND Visits (10436)
The Google Play Store is notifying app developers who are using a version of Cordova that is less than 3.5.1 that their app is built on a version of Apache Cordova that contains security vulnerabilities and they should upgrade to Apache Cordova 3.5.1 or higher as soon as possible. While correct in general, this is not the case for IBM Worklight customers who have already applied the fix for the vulnerability. Please see the security bulletin: http
It appears from observation that the Play Store's flag is determined solely on the Cordova version used in the application. The Play Store may be unaware that IBM has its own distribution of Cordova that receives fixes beyond what is available in the open source community. As part of that IBM support for Worklight customers, IBM has backported the vulnerability fix to older versions of the IBM distribution of Cordova that is included in the Worklight product. IBM has released fixes to its distribution of Cordova 2.3.0, 2.6.0, 3.1.0, and 3.4.0 that address this vulnerability in the matching versions of Worklight (5.0.6, 6.0, 6.1, 6.2). The IBM distribution of Cordova is embedded in the Worklight product, and this vulnerability fix to Cordova is delivered as a Worklight fix. For Worklight customers, it is not necessary to upgrade to Cordova 3.5.1 to address this vulnerability. In backporting that fix, IBM did not change the Cordova version number present in that distribution. For Worklight customers who have the vulnerability fix applied, the Cordova version string will appear the same: 2.3.0, 2.6.0, 3.1.0, or 3.4.0.
Therefore, using the version number in the IBM distribution of Cordova is not sufficient to determine if the vulnerability fix is present.
There is a simple way to detect the vulnerability fix that is more accurate both for the opensource distribution and the IBM distribution. Basically a new Java class is present in the fix. Detailed instructions on identifying this class and more accurately detecting if the fix is installed is described on our blog post: http
See the section titled "Verify that the patch was applied".
We are in process of reaching out to the Play Store to help provide more targeted identification of vulnerable apps.
[Update]: Google appears to have modified the flagging technique used to detect vulnerable applications and is no longer flagging Worklight applications that use updated versions of Cordova. Please see the following blog post on instructions to trigger Google Play Store to rescan your application and remove the vulnerability flag: http