Recently Cordova developers were informed by Google over security vulnerabilities:

Google Play warning: You are using a vulnerable version of Apache Cordova

Hello Google Play Developer,
Your app(s) listed at the end of this email utilize a version of Apache Cordova, an open-source mobile development framework, that contains one or more security vulnerabilities. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.
Please migrate your app(s) to Apache Cordova v.4.1.1 or higher as soon as possible and increment the version number of the upgraded APK. Beginning May 9, 2016, Google Play will block publishing of any new apps or updates that use pre-4.1.1 versions of Apache Cordova.
The vulnerabilities were addressed in Apache Cordova 4.1.1. If you’re using a 3rd party library that bundles Apache Cordova, you’ll need to upgrade it to a version that bundles Apache Cordova 4.1.1 or later.
To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.
For information about the vulnerabilities, please see this Google Help Center article. For other technical questions, you can post to Stack Overflow and use the tag “android-security.”
While these specific issues may not affect every app that uses Apache Cordova, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered Dangerous Products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.
Regards,
The Google Play Team
©2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.

Affected App(s) and Version(s): ...

Lets face it, Google is forcing Cordova developers to update their Cordova apps, otherwise it is impossible to release any updates after May 9, 2016 in the Google Play store.

To check the current Android platform version:
$ cordova platform version android

One of the biggest changes while upgrading the Android platform is probably that the minSdkVersion has been switched from 7 to 14.

For more details, check this link too.

To upgrade, enter:
$ cordova platform update android@4.1.1

From my personal experience with Cordova, I recommend you to check the whole app carefully after every update. Make sure everything work like expected.

Android Apache Cordova Featured

Wednesday, February 24, 2016

When I ported a Cordova app to Android 5 (Lollipop), I noticed, that the login does not work anymore. In prior versions of Android it works like a charm (app login is based on session cookies).

Part of the Android Lollipop changes:

Apps that target KITKAT or below default to allowing third party cookies. Apps targeting LOLLIPOP or later default to disallowing third party cookies.
https://developer.android.com/reference/android/webkit/CookieManager.html 

Android 5.0 changes the default behaviour for your app.
If your app targets API level 21 or higher:
The system blocks mixed content and third party cookies by default. To allow mixed content and third party cookies, use the setMixedContentMode() and setAcceptThirdPartyCookies() methods respectively.
The system now intelligently chooses portions of the HTML document to draw. This new default behaviour helps to reduce memory footprint and increase performance. If you want to render the whole document at once, disable this optimization by calling enableSlowWholeDocumentDraw().
If your app targets API levels lower than 21: The system allows mixed content and third party cookies, and always renders the whole document at once.
https://developer.android.com/about/versions/android-5.0-changes.html#BehaviorWebView

Indeed, if the app rely on session cookies it will stop working as expected.

However. Here is a fix to make session cookies work again on Android Lollipop and above:

/*
       Licensed to the Apache Software Foundation (ASF) under one
       or more contributor license agreements.  See the NOTICE file
       distributed with this work for additional information
       regarding copyright ownership.  The ASF licenses this file
       to you under the Apache License, Version 2.0 (the
       "License"); you may not use this file except in compliance
       with the License.  You may obtain a copy of the License at

         http://www.apache.org/licenses/LICENSE-2.0

       Unless required by applicable law or agreed to in writing,
       software distributed under the License is distributed on an
       "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
       KIND, either express or implied.  See the License for the
       specific language governing permissions and limitations
       under the License.
 */

package com.blogspot.tol8;

import android.os.Bundle;
import org.apache.cordova.*;
import android.os.Build;
import android.webkit.CookieManager;
import android.webkit.WebView;

public class MyApp extends CordovaActivity
{
    @Override
    public void onCreate(Bundle savedInstanceState)
    {
        super.onCreate(savedInstanceState);
        super.init();

        // Allow third party cookies for Android Lollipop
        if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP)
        {
                WebView webView = (WebView)super.appView;
                CookieManager cookieManager = CookieManager.getInstance();
                cookieManager.setAcceptThirdPartyCookies(webView,true);
        }
        super.loadUrl(Config.getStartUrl());
    }
}

BTW: Make sure that you use the latest Android SDK to compile the source code. I have also created an issue at the Cordova bug tracker (https://issues.apache.org/jira/browse/CB-8026).

Apache Cordova Java PhoneGap

Tuesday, November 18, 2014

In the early years of the Internet, it was possible to breach users security by using of JavaScript to exchange information from one website to another that has less reputation.

Therefore, all modern browsers implement the same origin policy that prevents attacks like cross-site scripting.

However, sometimes cross-origin HTTP request is a must-have requirement for a web application. This article will discuss about methods of how to deal with cross-origin HTTP requests. Lets start with some background information.

Origin policy

The algorithm used to calculate the "origin" of a URI (Uniform Resource Identifier) is specified in RFC 6454.

There are two different cases:

1. Absolute URIs, the origin is the triple {protocol, host, port}
2. If the URI does not use a hierarchical element as a naming authority (RFC 3986) or if the URI is not an absolute URI, then a globally unique identifier is used.

Two resources are considered to be of the same origin if and only if all these values are exactly the same.

The table below illustrates a check against the URL "http://www.example.com/pages/index.html":

URL to compare	Result	Why?
http://www.example.com/pages/index2.html	ok	Same host and protocol
http://www.example.com/pages2/index.html	ok	Same host and protocol
httpː//username:password@http://www.example.com/pages/index.html	ok	Same host and protocol
http://www.example.com:8080/pages2/index.html	fail	Same host and protocol, but different port
https://www.example.com/pages/index.html	fail	Different protocol
http://sub.example.com/pages/index.html	fail	Different host
http://example.com/pages/index.html	fail	Different host
http://www.example.com:80/pages/index.html	-	(Different port) Depends on the browser implementation

If the policy cannot be applied, the web browser will respond with an exception message, such as the following:

XMLHttpRequest cannot load ...
Cross origin requests are only supported for HTTP.
Uncaught NetworkError: A network error occurred.

Relaxing the same origin policy

Here are some techniques to relax with origin policy:

• JSONP. If the requirement was to get only the data from a different domain, then a JSONP request is the best choice. JSONP includes external data via the <script> tag.
• Cross origin resource sharing. This extends HTTP with a new origin request header and a new Access-Control-Allow-Origin response header. This article describes how to enable CORS.
• Disable web security (for development mode only). If an application is under development, the web security can temporarily disabled for the web browser. While the web browser is in an unsecured mode, it is highly recommended not to surf on public Internet pages (since the browser is vulnerable for all cross site scripting attacks). See "Disable web security for a web browser".
• Reverse Proxy. A reverse proxy (or gateway), by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin. See "Setup a reverse proxy".
• Whitelist (PhoneGap). If a web application is deployed to a mobile device with PhoneGap the domain can whitelisted (Whitelist Guide).

Disable web security for a web browser

For Google Chrome, the following command must executed in Terminal (browser must be closed):

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security

Setup a reverse proxy

Nowadays there are many http servers on the market, however this article focuses on how to configure a reverse proxy with XAMPP.

Install XAMPP

XAMPP is a free and open source cross-platform web server solution stack package, consisting mainly of the Apache HTTP Server, MySQL database, and interpreters for scripts written in the PHP and Perl programming languages.

You can download XAMPP here http://www.apachefriends.org/en/xampp.html.

Configure a virtual host

A virtual host gives you the possibility to run several name-based web applications on a single IP address.

Configuring the virtual host on your web server does not automatically cause DNS entries to be created for those host names. You can put entries in your hosts file for local testing.

Make a local host file entry

1. Open your Terminal.
2. Type: "sudo vi /private/etc/hosts" to open the host file.
3. Add the following entry "127.0.0.1 local.app.com" to the end of this file. You can modify this domain name to your needs.
4. Save the file and close it.

Configure XAMPP

1. Open your Terminal.
2. Open the XAMPP virtual host file. "sudo vi /Applications/XAMPP/etc/extra/httpd-vhosts.conf"
3. Add the following virtual host entry to the end of this file:

<VirtualHost *:80>
  DocumentRoot "/Volumes/workspace/myHtml5App"
  ServerName local.app.com
  ProxyPass       /service.php       http://yourExternalHost.com/communication/service.php
</VirtualHost>

Short explanation:

• "*:80" Listen for virtual host requests on all IP addresses.
• "DocumentRoot" Destination of the web application on the filesystem.
• "local.app.com" Server name, must be the same name as in the host file above.
• "ProxyPass" Proxy path holds the service address.

Before you restart the server, make a quick check to the httpd.conf file. ("sudo vi /Applications/XAMPP/etc/httpd.conf").

Make sure that the following entries are not commented with a "#"

• "Include /Applications/XAMPP/etc/extra/httpd-vhosts.conf"
• LoadModule proxy_module modules/mod_proxy.so
• LoadModule proxy_connect_module modules/mod_proxy_connect.so

If all is fine, restart your server.

If you call "local.app.com" in your browser, the web application should open. But you will still receive a cross origin policy exception, because your web application still sends the requests to "http://yourExternalHost.com/communication/service.php".

To fix this, replace the URL "http://yourExternalHost.com/communication/service.php" with "local.app.com/service.php" in your web application.

Apache JavaScript PhoneGap Sencha Sencha Touch XAMPP XHR XMLHttpRequest

Monday, November 25, 2013

From the Terminal (press ⌘ + SPACE and type terminal) you will run the following commands:

sudo apt-get install apache2
sudo apt-get install php5
sudo /etc/init.d/apache2 restart

Note: Your web folder is in "/var/www". If you restart the Apache HTTP Server you maybe get the following message:

* Restarting web server apache2                                                                                              apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
 ... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName

The solution to fix it is really simple, you just add the ServerName directive to "/etc/apache2/httpd.conf":

sudo vi /etc/apache2/httpd.conf

Add the line: ServerName localhost

Finally restart the Apache HTTP Server:

sudo /etc/init.d/apache2 restart

done!

Apache PHP Ubuntu

Wednesday, November 21, 2012