Google Play warning: You are using a vulnerable version of MoPub

Hi,

I just received an email from Google that my apps are using a version of the ad platform MoPub that contains a security vulnerability.

As far as i know i’m not using MoPub as an advertisement partner. Is this plugin by default embedded in the Corona SDK or is this part of the Adrally/Fuse plugin. I’m using that plugin to monetize my apps.

Full message from Google:

Hello Google Play Developer,

Your app(s) listed at the end of this email utilize a version of the ad platform MoPub that contains a security vulnerability. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

Please migrate your app(s) to MoPub v4.4.0 or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use pre-4.4.0 versions of MoPub.

The vulnerability was addressed in MoPub 4.4.0. The latest versions of the MoPub SDK can be downloaded here. You can confirm the version number by checking in MoPubUtils class. To confirm the version number, please see this help center page.

If you need more information, you can contact MoPub support by emailing support@mopub.com. If you’re using a 3rd party library that bundles MoPub, you’ll need to upgrade it to a version that bundles MoPub 4.4.0 or higher.

To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.

The vulnerability is due to unsanitized default WebView settings. An attacker may exploit this vulnerability by serving a malicious JavaScript code in an advertising creative, making it possible to infer the existences of privacy-sensitive local resources on the devices. For Android devices with the prior versions of API 16, the attacker can even access local resources. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “MoPub.”

While these specific issues may not affect every app that uses MoPub, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Developer Program Policies. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

We got these same warnings today along with another developer - any ideas?

All of my app on Google Play got the same warnings.

It look like we can’t upload apks before solve this issue or we may be considered in violation of Google Play’s Malicious Behavior policy  :huh:

I’m looking into it.

I don’t think google play won’t allow you to upload new apk’s, as long as they are compliant, but i wouldn’t upload any Fuse/AdRally apks at this time until we know the version of MoPub being used is the later one - they want these issues fixed/updated, and they set the deadline for July 11, 2016, giving developers ample time to update, and not use the old version of Mopub anymore.

I did a test, and removed Fuse from one of our lower earning apps, and the flag was removed after about 24 hours. Pity, because it pretty much affected any AdRally/Fuse integrated apps.

Any news regarding this issue?

I uploaded a new build of one of my apps with #2016.2855 yesterday, the warning mark still there and says my previous version apk has MoPub issue. when I woke up today and check it again, the warning is gone.

Not sure it’s fine or not, I will check it again after couple days, and hope there’s no warning pop up again. so I could feel free to update the rest of apps.

I haven’t gotten any solid info on this. We don’t use MoPub anywhere that I’m aware of and it seems like it might be the Fuse plugin. Can everyone getting the MoPub issue confirm they are using Fuse?

Fuse may have fixed it on their side if you’re not longer getting the warning.

Rob

The google warning is related to a sensitive version of Mopub which was included in the Fuse/AdRally plugin. We have been in contact with them and they have updated and fixed this, so you can update your apps and get the flag removed.

Just update your app with the Fuse Plugin, OR remove the Fuse plugin and use an alternative ad network plugin like admob, and remove Fuse, and the flag will get removed within 24 hours.

But either way, Fuse is good now, they updated the libraries and Mopub to remove the vulnerable version that was getting the apps flagged.

As an FYI, this is an issue across all apps integrated with Mopub, even some Unity SDK apps that have Mopub have received these errors. There was some vulnerable code in their library which just happens to come with the Fuse plug-in, and that is why google has flagged these apps. This is no fault of Fuse or Corona, but rather the version of Mopub that was included in the Fuse plug-in.

We got these same warnings today along with another developer - any ideas?

All of my app on Google Play got the same warnings.

It look like we can’t upload apks before solve this issue or we may be considered in violation of Google Play’s Malicious Behavior policy  :huh:

I’m looking into it.

I don’t think google play won’t allow you to upload new apk’s, as long as they are compliant, but i wouldn’t upload any Fuse/AdRally apks at this time until we know the version of MoPub being used is the later one - they want these issues fixed/updated, and they set the deadline for July 11, 2016, giving developers ample time to update, and not use the old version of Mopub anymore.

I did a test, and removed Fuse from one of our lower earning apps, and the flag was removed after about 24 hours. Pity, because it pretty much affected any AdRally/Fuse integrated apps.

Any news regarding this issue?

I uploaded a new build of one of my apps with #2016.2855 yesterday, the warning mark still there and says my previous version apk has MoPub issue. when I woke up today and check it again, the warning is gone.

Not sure it’s fine or not, I will check it again after couple days, and hope there’s no warning pop up again. so I could feel free to update the rest of apps.

I haven’t gotten any solid info on this. We don’t use MoPub anywhere that I’m aware of and it seems like it might be the Fuse plugin. Can everyone getting the MoPub issue confirm they are using Fuse?

Fuse may have fixed it on their side if you’re not longer getting the warning.

Rob

The google warning is related to a sensitive version of Mopub which was included in the Fuse/AdRally plugin. We have been in contact with them and they have updated and fixed this, so you can update your apps and get the flag removed.

Just update your app with the Fuse Plugin, OR remove the Fuse plugin and use an alternative ad network plugin like admob, and remove Fuse, and the flag will get removed within 24 hours.

But either way, Fuse is good now, they updated the libraries and Mopub to remove the vulnerable version that was getting the apps flagged.

As an FYI, this is an issue across all apps integrated with Mopub, even some Unity SDK apps that have Mopub have received these errors. There was some vulnerable code in their library which just happens to come with the Fuse plug-in, and that is why google has flagged these apps. This is no fault of Fuse or Corona, but rather the version of Mopub that was included in the Fuse plug-in.