Hi, A customer of mine owns in android Application that was developed by developer some years back who has disappeared now. This app was developed with Apache Cordova. Now Google will unpublish it for security reasons. My question is is there anyway that I can upload a new apk as an update? The app is in my customers account, so I do have full access. ------------------------------------- Dear Google Play App Developer, We wanted to let you know that your app(s) listed at the end of this email are built on a version of Apache Cordova that contains security vulnerabilities. Please migrate your app(s) to Apache Cordova v.3.5.1 or higher as soon as possible. Beginning 8/31/15, Google Play will block publishing of any new apps and updates that use pre-3.5.1 versions of Apache Cordova (see below for details). REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement. The vulnerabilities include a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, susceptible apps could be remotely exploited to steal sensitive information, such as user login credentials. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see Apache Cordova’s security bulletin. For additional guidance about Apache Cordova, please see https://stackoverflow.com/tags/cordova. To confirm that you’ve upgraded correctly, upload the updated version of the app(s) to the Developer Console and check back after five hours. If the app hasn’t been upgraded correctly, we will display a warning. In 60 days, we will not accept app updates containing pre-3.5.1 versions of Apache Cordova. In addition, we will reject new apps containing pre-3.5.1 versions of Apache Cordova. Note: while the issues may not affect every app that uses Apache Cordova versions prior to 3.5.1, developers should stay up to date on all security patches. Even if you think that specific issues may not be relevant, it's good practice to update any libraries in your app that have known issues. Please take this time to update apps that have out-of-date dependent libraries or other vulnerabilities. While these issues may not affect every app that uses Apache Cordova versions prior to 3.5.1, it’s best to stay up to date on all security patches. Make sure to update any libraries in your app that have known issues, even if you're not sure the issues are relevant to your app. Before publishing an app, make sure it's compliant with the Developer Distribution Agreement and our Content Policies. If you feel we've sent this warning in error, please reach out to our appeals team through the App Developer help center.

The way I read it, they won't remove/unpublish the old app, they just won't accept any updates to it that do not comply.

My experience has been that Google Play will allow an new .apk to be uploaded in these circumstances and that they will allow publication of the app as long as the updated .apk complies with their requirements. -- John

As long as you still sign it with the same keystore file. if they do remove it you would have to go through the publishing steps again

The problem is that i don't have the keystore file. The only thing that is available to me is the Google play account.

As I see it, you have two options. Option 1 - If you need to do an update to the code, then it will have to be published as a complete new app release. Customers won't get an automatic upgrade as it would be a complete new app. Option 2 - leave it alone, they are not going to pull your existing app if you leave it in the Play store as it is. Alan

I only see a warning to users after a particular date, 60 days, so I don't see it related to your correct App that is already published. LA

Existing developed app in the Play Store is of Cordova Version 2.9.0. We received the below mail. My question is that should the app be updated to Cordova Version 3.5.1 or higher before 31st August or can it go as part of app update after 31st August as well. Could you please help me answer the above queries. ------------------------------------------------------- Dear Google Play App Developer, We wanted to let you know that your app(s) listed at the end of this email are built on a version of Apache Cordova that contains security vulnerabilities. Please migrate your app(s) to Apache Cordova v.3.5.1 or higher as soon as possible. Beginning 8/31/15, Google Play will block publishing of any new apps and updates that use pre-3.5.1 versions of Apache Cordova (see below for details). REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement. The vulnerabilities include a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, susceptible apps could be remotely exploited to steal sensitive information, such as user login credentials. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see Apache Cordova’s security bulletin. For additional guidance about Apache Cordova, please see https://stackoverflow.com/tags/cordova. To confirm that you’ve upgraded correctly, upload the updated version of the app(s) to the Developer Console and check back after five hours. If the app hasn’t been upgraded correctly, we will display a warning. In 60 days, we will not accept app updates containing pre-3.5.1 versions of Apache Cordova. In addition, we will reject new apps containing pre-3.5.1 versions of Apache Cordova. Note: while the issues may not affect every app that uses Apache Cordova versions prior to 3.5.1, developers should stay up to date on all security patches. Even if you think that specific issues may not be relevant, it's good practice to update any libraries in your app that have known issues. Please take this time to update apps that have out-of-date dependent libraries or other vulnerabilities. While these issues may not affect every app that uses Apache Cordova versions prior to 3.5.1, it’s best to stay up to date on all security patches. Make sure to update any libraries in your app that have known issues, even if you're not sure the issues are relevant to your app. Before publishing an app, make sure it's compliant with the Developer Distribution Agreement and our Content Policies. If you feel we've sent this warning in error, please reach out to our appeals team through the App Developer help center.