Plugin(s)
Version
8.0.1
Platform(s)
Current behavior
Our Android security scan reports unsafe/deprecated C API symbols in the built app binary.
Investigation shows the symbol source is a transitive native library:
libdatastore_shared_counter.so from androidx.datastore:datastore-core-android:1.1.7.
This dependency is pulled through Firebase dependency chain used by Capacitor Firebase plugins.
No direct first-party C/C++ usage was found in our app source.
Expected behavior
Firebase dependency graph should avoid shipping native code that triggers unsafe API scanner findings, or provide official guidance confirming safety and recommended upgrade path.
We expect clear recommendation on supported version alignment, such as DataStore 1.2.1 or newer.
Reproduction
https://github.com/orderbridge2013/firebase-datastore-security-repro
Steps to reproduce
-
Create a new Capacitor Android project from the awsome-team template.
-
Add Firebase plugins and firebase package versions above.
-
Sync and build Android release.
-
Run Gradle dependency insight for androidx.datastore:datastore-core-android.
-
Observe resolved transitive dependency version 1.1.7.
-
Inspect merged native libs and observe libdatastore_shared_counter.so.
-
Run security scan and observe unsafe C API symbol finding.
Other information
- Platform: Android only
- Plugin version: 8.0.1
- firebase package: 12.8.0
- Resolved Firebase Android libs in our build:
com.google.firebase:firebase-messaging:25.0.1
com.google.firebase:firebase-analytics:23.0.0
- Transitive package identified:
androidx.datastore:datastore-core-android:1.1.7
- We validated the dependency can resolve to 1.2.1 via Gradle override test.
Capacitor doctor
Run this from project root and paste full output:
npx cap doctor
Before submitting
Plugin(s)
Version
8.0.1
Platform(s)
Current behavior
Our Android security scan reports unsafe/deprecated C API symbols in the built app binary.
Investigation shows the symbol source is a transitive native library:
libdatastore_shared_counter.so from androidx.datastore:datastore-core-android:1.1.7.
This dependency is pulled through Firebase dependency chain used by Capacitor Firebase plugins.
No direct first-party C/C++ usage was found in our app source.
Expected behavior
Firebase dependency graph should avoid shipping native code that triggers unsafe API scanner findings, or provide official guidance confirming safety and recommended upgrade path.
We expect clear recommendation on supported version alignment, such as DataStore 1.2.1 or newer.
Reproduction
https://github.com/orderbridge2013/firebase-datastore-security-repro
Steps to reproduce
Create a new Capacitor Android project from the awsome-team template.
Add Firebase plugins and firebase package versions above.
Sync and build Android release.
Run Gradle dependency insight for androidx.datastore:datastore-core-android.
Observe resolved transitive dependency version 1.1.7.
Inspect merged native libs and observe libdatastore_shared_counter.so.
Run security scan and observe unsafe C API symbol finding.
Other information
com.google.firebase:firebase-messaging:25.0.1
com.google.firebase:firebase-analytics:23.0.0
androidx.datastore:datastore-core-android:1.1.7
Capacitor doctor
Run this from project root and paste full output:
npx cap doctor
Before submitting