Warning when submitting to play store - JavaScript Interface Injection

[gabides]

Bug Report

Problem

What is expected to happen?

App should be reviewed by play store with no warning. This is quite urgent as the store is requiring the issue to be fixed by May 01 2024

What does actually happen?

Apps uploaded to the play store are receiving he following warning:

Hello Google Play Developer,

We reviewed XYZ APP, with package name com.xyz.app, and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user’s device, and may be considered to be in violation of our Device and Network Abuse policy.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK.

Vulnerability
JavaScript Interface Injection
Your app(s) are using a WebView that is vulnerable to JavaScript interface injection.

To address this issue, follow the steps in this Google Help Center article.

org.apache.cordova.inappbrowser.VideoEnabledWebView.addJavascriptInterface
APK Version(s)
123456789

Deadline to fix
May 01, 2024

To confirm you’ve upgraded correctly, submit the updated version of your app to the Play Console and check back after five hours. We’ll show a warning message if the app hasn’t been updated correctly.

While these vulnerabilities may not affect every app, it’s best to stay up to date on all security patches.

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Best,

The Google Play Team

Information

addJavascriptInterface is called with a object here: https://github.com/apache/cordova-plugin-inappbrowser/blob/6.0.x/src/android/InAppBrowser.java#L992

play store advise against doing this: https://support.google.com/faqs/answer/9095419?hl=en-GB

Environment, Platform, Device

Android

Command or Code

build a capacitor app with plugin cordova-plugin-inappbrowser v5 or v6 and try to submit it on the play store

Version information

cordova-plugin-inappbrowser v6

Checklist

• [x] I searched for existing GitHub issues
• [x] I updated all Cordova tooling to most recent version
• [x] I included all the necessary information above

[breautek]

org.apache.cordova.inappbrowser.VideoEnabledWebView

This namespace isn't part of the original Apache plugin. Are you using a fork?

The apache version does use JavascriptInterface but in a way that I don't believe is considered insecure.

https://github.com/apache/cordova-plugin-inappbrowser/blob/6.0.x/src/android/InAppBrowser.java#L992 is not the same as what Google referenced: org.apache.cordova.inappbrowser.VideoEnabledWebView.addJavascriptInterface

More specifically, we do not have a VideoEnabledWebView class that Google is referencing.

[jcesarmobile]

Yes, it’s s a fork, not the official plugin, closing as invalid. Using addJavascriptInterface doesn’t make the app insecure, the fork might be doing something that Google considers insecure.

[gabides]

Hi, yes sorry i didn't realise that we patched recently the code of the cordova-plugin-inappbrowser with some code from a fork.