Amazon Appstore issue

Hello, I sumbitted a game to Amazon Appstore and got it rejected with the following message:

_Your recent submission of Proteggo is pending due to the following reason(s):

The app has failed the following test case: The application does not use encryption when sending sensitive information. While monitoring network traffic, the tester observed that the device ID was sent in plain text multiple times. Steps to reproduce: 1. Download and launch the application. 2. Monitor network traffic. 3. Observe that the device ID was sent in plain text.

Please correct the issue(s) we found with your app submission so we may continue working to get it in the Appstore._

I am not doing anything with the device ID… I wonder if this is about analytics…

How can I get past this?
Thank you

Raúl Beltrán
MIU Games [import]uid: 44101 topic_id: 17282 reply_id: 317282[/import]

This is the first time we’ve heard of this issue, so thanks for bringing it to our attention. We’ll be looking into it and will hopefully have a solution soon.

Thanks again,
[import]uid: 52430 topic_id: 17282 reply_id: 65329[/import]

Hello Jonathan, any news on this?

Thanks

Raúl Beltrán [import]uid: 44101 topic_id: 17282 reply_id: 67016[/import]

This is a launchpad analytics packet that is used to track your customers’ app usage. The Device ID that is sent is MD5 hashed. It’s already encrypted. Corona does not actually expose the ID of the device. Please inform them of this.

If the above still isn’t enough to pass your app, then you can alternatively disable launchpad analytics by following the instructions via the below link…
http://developer.anscamobile.com/content/configuring-projects#LaunchPad
[import]uid: 32256 topic_id: 17282 reply_id: 67661[/import]

Well, guess what? I re-submitted the game to the Amazon Appstore and this time it was approved. I didn’t change anything in the code, just re-compiled with the latest daily build available about two weeks ago.

Thank you for your help!

Raúl Beltrán
MIU Games [import]uid: 44101 topic_id: 17282 reply_id: 70468[/import]

Great news! Thanks for letting us know… [import]uid: 52430 topic_id: 17282 reply_id: 70480[/import]

I’m also having this issue now with Amazon. I’ve tried twice. I build my app for Amazon/Kindle and use my keystore to sign it.

My app downloads an xml file like so:network.download( "http://themoneyconverter.com/rss-feed/USD/rss.xml", "GET", networkListener, "rss.xml", system.DocumentsDirectory )
Could that be sending the device ID in the clear? [import]uid: 55576 topic_id: 17282 reply_id: 82622[/import]

Yes, just tell them that no sensitive information is being transferred. We do some network requests when starting our game. They approved it afterwards. Then they set “Dynamic Content” to yes.

Hoan
[import]uid: 22829 topic_id: 17282 reply_id: 82632[/import]

I sent the email explaining the HD5 hash to Amazon. Here is their response:

**Thank you for writing in. Below is one of the communications from Money Storm v 1.0 that includes the device ID. It is in plain text, not MD5 hashed:

‘GET /simpleM2M/clientRequestWVTextOnly?aid=theIdeaMen_MoneyStorm_iPhone&po=600&v=2.0.1-Android-3.0.4&
hid=A000002C69BA3A&t=1327694272705&w=540&h=960 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; DROID3 Build/5.5.1_84_D3G-55) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1\r\nHost: wv.inner-active.mobi\r\nConnection: Keep-Alive\r\nAccept-Encoding: gzip\r\n\r\n\r\n’**

Not sure how to continue. [import]uid: 55576 topic_id: 17282 reply_id: 83008[/import]

Your app has failed a test case.

I have the same problem, my game just failed Amazon’s tests:

Bug Description:

The application does not use an encrypted connection when communicating sensitive information. While monitoring the network traffic generated by the application, the user observed that the device ID appeared in unencrypted traffic.

Steps to Reproduce:

1. Launch the application while monitoring network traffic.
2. Observe that the device ID appears in unencrypted traffic. OS/Device(s)/Form Factor: Samsung i777 (Galaxy S 2)

What is the solution to this? Do I have to disable Launchpad to get it into Amazon’s AppStore? Is that enabled by default?

–wunderwuzzi [import]uid: 118947 topic_id: 17282 reply_id: 85937[/import]

Ok, I digged into this a bit deeper with Wireshark and on Android this request is issued (obfuscated the values) to stats.anscamobile.com, which is probably what Amazon observed:

json={“appVersion”:“1.0”,“appId”:“3339474f25dd033337f0.40913035”,
“sessionId”:“1328333335.76c8c2a034b33333333345345796eb94b0”,“subType”:“pro”,
“deviceId”:“42342345343443534234”,“deviceName”:“GT-I9001”,“deviceOSVersion”:“2.3.3”,
“deviceOS”:“Android”,“mode”:“distribution”,“timestamp”:13233338747, “buildNum”:“2012.731”}
What data is exactly sent off from the device?
I am not sure what deviceID is? Is it the IMEI md5 hashed?
What is deviceName? Could this be a personal string that the user entered on their device or is this the Model Number?

–wunderwuzzi

[import]uid: 118947 topic_id: 17282 reply_id: 85995[/import]

I just heard back from Amazon on my first submission to them with this same error.

I don’t mind turning off launch pad, but I do mind turning off ads. The documentation on turning off launch pad says:

“Note: Setting “require credits”, “require gameNetwork”, or “require ads” in your code will enable LaunchPad and override this setting.”
How do I solve this? I could make it a 99 cent app on Amazon without ads, but it’s free with ads on Android Marketplace. But how would that be received?

Rob [import]uid: 19626 topic_id: 17282 reply_id: 90000[/import]

@duff333 that string you’re showing is an Inneractive Ad request to their servers.

[import]uid: 19626 topic_id: 17282 reply_id: 90001[/import]

@robmiracle: I resubmitted my game and then Amazon just approved it the second time. I added some reasoning, although put it in the wrong field. Watch out for that, use a different field and not release notes… haha.

This is how it looks now on the AppStore and I can’t just change that text, but opened a support case, hopefully Amazon can promptly remove the text:

http://www.amazon.com/Johann-Digital-Works-Wonder-Witches/dp/B007EXNR7Y/ref=sr_1_1?s=mobile-apps&ie=UTF8&qid=1330495224&sr=1-1

–wunderwuzzi [import]uid: 118947 topic_id: 17282 reply_id: 90111[/import]

Everyone,

Just to let you know, I’ve actually written up a request to send Launchpad analytics via HTTPS instead of as plain text HTTP to avoid this whole device ID issue that Amazon is siting. As of 2 weeks ago, we became aware that inneractive was sending device IDs too and we have requested them to use HTTPS as well. I hope that we can make this happen by the next release of the Corona SDK.

In the meantime, I’ve noticed that Amazon’s handling of this device ID issue has been inconsistent. You could just submit your app again. I know this is inconvenient, but I don’t have anything else to offer at the moment. [import]uid: 32256 topic_id: 17282 reply_id: 90287[/import]

@wunderwuzzi
@robmiracle

For the current approvals did you turn off LaunchPad? I’m getting an app ready to submit this week.

-Brad [import]uid: 110373 topic_id: 17282 reply_id: 90291[/import]

I kept it on. The first review took quite long, a couple of days and then it was rejected. Second attempt was approved within 36 hours and the Wonder Witches update 1.1 was just approved today within a few hours.

Put something in the “test instructions” in this regards, that might help (e.g. Joshua pointed out that it’s MD5 hash of the id).

@Joshua, thanks for driving this. Moving to SSL generally is the right thing todo in my opinion. Kudos.

–wunderwuzzi [import]uid: 118947 topic_id: 17282 reply_id: 90307[/import]

I have not resubmitted mine yet. I’m reworking it to be a paid version on Amazon.

Even though Launchpad may be using MD5, Inneractive is not. So I’m going to resubmit it after I de-ad it. [import]uid: 19626 topic_id: 17282 reply_id: 90387[/import]