Spell updated with Cordova 3.5.1 security fix

It doesn’t happen really often to receive emails from Google, and usually when it happens it’s bad news (like spiders not crawling, terms&conditions updates a la Orwell etc), and also today they met my expectations with this message :

This is a notification that your it.simonerescio.spell, is built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.

You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcements/2014/08/04/android-351.html.

Please note, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.


Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important issues relating to your Google Play account.


Don’t panic, it’s just a library update, let’s go step by step, following StackOverflow answers.

There are two main commands we need to execute :

this one updates the phonegap version used during the build process of all projects, but it’s not enough we also need to update the phonegap libraries in every single project so that the cordova.js file gets bumped to version 3.5.1 with the Android security fix.

Navigate in terminal to the directory of your phonegap project and run the following :

If you did follow the command line installation guide for PhoneGap cli everything will go smoothly, otherwise you will run in a series of errors due to missing software and configurations, this is how I solved  step by step with StackOverflow answers and Official Doc help.

Missing apache ant

The first error I encountered is missing ant software for building from command line :

to install it you need to run a command using the HomeBrew library, but I didn’t have that either so first I installed brew and then ant :

Source : http://stackoverflow.com/questions/19495610/error-executing-command-ant-on-mac-os-x-10-9-mavericks-when-building-for-andro#answer-19495611

Missing Android environment variable

If you haven’t already configured the environment variable to your AndroidSDK installation, trying to re execute the update command will result in the following error :

to solve this issue you can follow the official guide, making a bash profile file that includes our variable each time the teminal app is opened, by running the following :

A TextEditor window will open with the file we just created, now past the path to your AndroidSDK platform-tools and tools directories, like in the following example that should be changed accordingly to the location of the SDK on your computer:

Save changes and run the following command to apply the path to the current session :

Notice that this fix assumes you are using the bash shell, if you are using any alternative like zsh the issue will still persist, you can switch temporarily to bash shell if you digit bash in the terminal window and hit enter, to get back to zsh or whatever other shell you’re using once finished digit exit, switching shells doesn’t change the current working directory, you can verify with pwd.

If everything went as planned inspecting the file at the following path :

You will find this value :

Update 16/04/2015

The values needed in the .bash_profile file described above from the official guide are not valid for Phonegap version 4.x, the new values needed to accomplish the updated operation, quoting stackoverflow, are the following :

Spell version 1.0.1

After these changes I uploaded the new APK on the playstore, I’ve included also a small fix for the “Q” letter that was sharing the same description for both upper and lower cases in italian, “Quadro”/”quadro”, now the uppercase is identified with a  place name which is “Québec”.

If you haven’t updated yet you can follow this link :

Get Spell for free on google-play-store-logo




2 thoughts on “Spell updated with Cordova 3.5.1 security fix”

  1. Using Cordova 5.3.3 cli for Android but unable to upload apk on Google Play Store?
    Is that problem due to cordova plugin whitelist. because i have deleted my platforms and all plugins than again created the whole project. The alert which i am getting on my Developer account is: REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and sections 4.4 of the Developer Distribution Agreement. The vulnerabilities include a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, susceptible apps could be remotely exploited to steal sensitive information, such as user login credentials.

    Cordova Android Build is 4.1.1

    1. thanks for notice, I’am updating again my app to cordova 5.x these days and the project does include the whitelist plugin by default, will see if I get that error as well

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.