Spell updated with Cordova 3.5.1 security fix

It doesn’t happen really often to receive emails from Google, and usually when it happens it’s bad news (like spiders not crawling, terms&conditions updates a la Orwell etc), and also today they met my expectations with this message :

This is a notification that your it.simonerescio.spell, is built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.

You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcements/2014/08/04/android-351.html.

Please note, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.


Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important issues relating to your Google Play account.


Don’t panic, it’s just a library update, let’s go step by step, following StackOverflow answers.

There are two main commands we need to execute :

sudo npm update -g phonegap

this one updates the phonegap version used during the build process of all projects, but it’s not enough we also need to update the phonegap libraries in every single project so that the cordova.js file gets bumped to version 3.5.1 with the Android security fix.

Navigate in terminal to the directory of your phonegap project and run the following :

phonegap platform update android

If you did follow the command line installation guide for PhoneGap cli everything will go smoothly, otherwise you will run in a series of errors due to missing software and configurations, this is how I solved  step by step with StackOverflow answers and Official Doc help.

Missing apache ant

The first error I encountered is missing ant software for building from command line :

Error: ERROR : executing command 'ant', make sure you have ant installed and added to your path.

to install it you need to run a command using the HomeBrew library, but I didn’t have that either so first I installed brew and then ant :

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

brew install ant

Source : http://stackoverflow.com/questions/19495610/error-executing-command-ant-on-mac-os-x-10-9-mavericks-when-building-for-andro#answer-19495611

Missing Android environment variable

If you haven’t already configured the environment variable to your AndroidSDK installation, trying to re execute the update command will result in the following error :

Error: The command "android" failed. Make sure you have the latest Android SDK installed, and the "android" command (inside the tools/ folder) is added to your path.

to solve this issue you can follow the official guide, making a bash profile file that includes our variable each time the teminal app is opened, by running the following :

touch ~/.bash_profile; open ~/.bash_profile

A TextEditor window will open with the file we just created, now past the path to your AndroidSDK platform-tools and tools directories, like in the following example that should be changed accordingly to the location of the SDK on your computer:

export PATH=${PATH}:/Development/android-sdk-macosx/platform-tools:/Development/android-sdk-macosx/tools

Save changes and run the following command to apply the path to the current session :

source ~/.bash_profile

Notice that this fix assumes you are using the bash shell, if you are using any alternative like zsh the issue will still persist, you can switch temporarily to bash shell if you digit bash in the terminal window and hit enter, to get back to zsh or whatever other shell you’re using once finished digit exit, switching shells doesn’t change the current working directory, you can verify with pwd.

If everything went as planned inspecting the file at the following path :


You will find this value :


Update 16/04/2015

The values needed in the .bash_profile file described above from the official guide are not valid for Phonegap version 4.x, the new values needed to accomplish the updated operation, quoting stackoverflow, are the following :

export ANDROID_HOME=/<installation location>/android-sdk-macosx
export PATH=${PATH}:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools

Spell version 1.0.1

After these changes I uploaded the new APK on the playstore, I’ve included also a small fix for the “Q” letter that was sharing the same description for both upper and lower cases in italian, “Quadro”/”quadro”, now the uppercase is identified with a  place name which is “Québec”.

If you haven’t updated yet you can follow this link :

Get Spell for free on google-play-store-logo



2 thoughts on “Spell updated with Cordova 3.5.1 security fix”

  1. Using Cordova 5.3.3 cli for Android but unable to upload apk on Google Play Store?
    Is that problem due to cordova plugin whitelist. because i have deleted my platforms and all plugins than again created the whole project. The alert which i am getting on my Developer account is: REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and sections 4.4 of the Developer Distribution Agreement. The vulnerabilities include a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, susceptible apps could be remotely exploited to steal sensitive information, such as user login credentials.

    Cordova Android Build is 4.1.1

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.