You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "Joe Bowser (JIRA)" <ji...@apache.org> on 2017/12/18 22:24:00 UTC
[jira] [Comment Edited] (CB-13648) Cordova Android Security
Concern? What is the correct workflow for apps with this issue? (see
description)
[ https://issues.apache.org/jira/browse/CB-13648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16295756#comment-16295756 ]
Joe Bowser edited comment on CB-13648 at 12/18/17 10:23 PM:
------------------------------------------------------------
Well, this is a complicated issue for many reasons.
1. Devices that were no longer supported after Heartbleed hit would still be vulnerable to this, so anything that was EOLed in 2014 is affected.
2. Google System WebView became an installable component back in Android 5.0, so installing the latest WebView is the best solution to work around this issue for Cordova
3. The reason you have to buy a new device once an OEM stops supporting it IS these sorts of vulnerabilities.
There are third-party plugins that use a different method for loading SSL content into a WebView, but I have no idea what the performance hit is, nor do I know whether it's even worth it, since this would be a small subset of our currently supported users. Honestly, this just seems like a really good argument for dropping support for Android 4.4 devices than it is anything else.
I've asked another team member for a link to their third-party plugin that does this. I'd still be wary of any Android version older than Android 5.0 to be honest.
was (Author: bowserj):
Well, this is a complicated issue for many reasons.
1. Devices that were no longer supported after Heartbleed hit would still be vulnerable to this, so anything that was EOLed in 2014 is affected.
2. Google System WebView became an installable component back in Android 5.0, so installing the latest WebView is the best solution to work around this issue for Cordova
3. The reason you have to buy a new device once an OEM stops supporting it IS these sorts of vulnerabilities.
There are third-party plugins that use a different method for loading SSL content into a WebView, but I have no idea what the performance hit is, nor do I know whether it's even worth it, since this would be a small subset of our currently supported users. Honestly, this just seems like a really good argument for dropping support for Android 4.4 devices than it is anything else.
> Cordova Android Security Concern? What is the correct workflow for apps with this issue? (see description)
> ----------------------------------------------------------------------------------------------------------
>
> Key: CB-13648
> URL: https://issues.apache.org/jira/browse/CB-13648
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-android
> Reporter: Abhishek Joshi
> Assignee: Joe Bowser
>
> https://developer.android.com/training/articles/security-gms-provider.html
> 1) Is this bug discussed above a concern with Cordova apps out of the Box (near helloworld level of apps), since Cordova runs off Webviews?
> 2) If this bug is a concern, what should the correct workaround be? Do I need to create my own plugin to manage this? Is there a solution?
> 3) Any comments?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org