com.google.android.play:core:1.7.1 security vulnerability

kungfu-king-betty / cordova-plugin-native-app-update

This is a cordova plugin to easily check the iOS App Store or Android Google Play Store for an available app update.

MIT License

12 stars 17 forks source link

com.google.android.play:core:1.7.1 security vulnerability #1

Closed rex-iotum closed 3 years ago

rex-iotum commented 3 years ago

Your Environment

Plugin version: 1.0.1
Platform: Android
OS version: 11
Device manufacturer / model: Any
Cordova version (cordova -v): 10.0.0
Cordova platform version (cordova platform ls): Android 9.0.0
Plugin config

Expected Behavior

Google Play Store not finding a security vulnerability in the SDK

Actual Behavior

Google Play Store finding a security vulnerability in the SDK because of com.google.android.play:core:1.7.1 defined in the build.gradle file.

Steps to Reproduce

Create a cordova app with this plugin
Build and upload an Android app to Google Play Store
Be shown below warning when trying to release the app.

Context

Create and upload Android app with this plugin to the Google Play Store

kungfu-king-betty commented 3 years ago

Sorry about the delayed response, I have not been keeping up with this repo lately so I appreciate you bringing up this issue especially since it present a security risk. I will hopefully have the repo updated very soon, I will be working on it later today when I have time so you hopefully won't have to wait long.

If you need a quick fix, I would update the build.gradle file in the plugin directory and change com.google.android.play:core:1.7.1 to com.google.android.play:core:1.7.2. This should fix the security risk, and the version update is small enough that it should not impact the functionality of the plugin or your cordova app and will allow you to submit you app to Google Play.

If this does not fix the issue or you run into any other problems please let me know. I will post as soon as I have the plugin updated and ready so you don't have to manually change the build.gradle file in the future! :)

kungfu-king-betty commented 3 years ago

Hi rex, I am closing this issue because version 1.0.2 has been published so please update the plugin and you should no longer receive the security vulnerability warning when uploading to the google play store. Thank you again for your detailed description of the issue making it easier to fix. Please open this issue back up if your problem is not fixed otherwise, happy coding!