Cordova Android security issue for Visual Studio projects


Recently, Trend Micro announced the discovery of a security flaw in the Apache Cordova Android platform that affects all current versions of Cordova. The Cordova Community has released an update for Cordova to address this issue.

We recommend that all users of Microsoft Visual Studio 2013 CTPs or earlier versions of Microsoft Visual Studio 2015 CTPs upgrade to Microsoft Visual Studio 2015 RC or a later version. By using the latest Visual Studio release, you can take advantage of features that simplify the Cordova update process. We are also working with the Cordova community on a “tools release” for Cordova that will use the updated versions of the Cordova Android platform by default. We will also be updating the templates in Visual Studio to use this newer version of the platform.

In the meantime, you can immediately update your Microsoft Visual Studio projects to the updated version of the Cordova Android platform when you use Apache Cordova 4.3.0 or Apache Cordova 5.0.0 together with Tools for Apache Cordova 2015 RC. To do this, follow the steps in the "More Information" section.

More Information

Updating your project

To update your Visual Studio project to use the updated version of the Cordova Android platform, you must add an XML element to Config.xml. To do this, follow these steps:

  1. In Visual Studio, right-click Config.xml, and then click View Code.
  2. Add the following entry under the root <widget> element, depending on your version of Cordova:

    For Cordova 4.3.0 (default version)

    <engine name="android" version="3.7.2" />
    For Cordova 5.0.0

    <engine name="android" spec="4.0.2" />

Additional step for existing Android builds

For projects for which you have already created a build for Android on your system, you must also remove the old version of the Cordova Android platform. To do this, follow these steps:
  1. Open a Command Prompt window, and then change to your Cordova project root folder (not the solution root).
  2. At the command prompt, type the following commands:

    npm install -g cordova 
    cordova platform remove android 
The next time that you create a build, you will be using the updated version of the Cordova Android platform.

For an updated versions of the Visual Studio template Config.xml files and for a batch file that removes the old version of the Cordova Android platform when it is run from your project folder, go to the following GitHub website:


For the announcement about this issue that was issued by Trend Micro, go to the following Trend Micro website:

For more information about the Apache Cordova update for this security issue, go to the following Apache Software Foundation website:

For more information about upcoming Cordova tools releases, see the "News" section of the Apache Cordova website.
Third-party information disclaimer
Third-party information disclaimer

Article ID: 3069704 - Last Review: 01 Jun 2015 - Revision: 1