Path traversal security vulnerability on Google Play


I received an email from Google where they say that one of my apps has this path traversal security vulnerability. The problem is related with exposing content providers to other apps. As I don’t have any content provider in my game, I assume Corona, or one of its plugins, may be doing that. Could you confirm this info and what I should do to solve this problem?




Same thing happens to me. All my corona apps on Google Play are getting a warning!

yeap, same here. i believe is related to website links we have on the apps. not from plugins. at least on my case i suspect that.

Trying to narrow down whether this is a “generic” issue or in one of the plugins. (like zip)

Also, would adding exported=false to the android table in build.settings get added to the manifest?

Same problem here.  Please help, Corona!

The same for me :frowning:


We are aware of this issue and trying to solve & test it right now. I will post updates.

Thanks vlads, I also have received a warning from Google.


Hello everyone! Daily build 3145 was just published. Only change is closing mentioned vulnerability. Thank you for your patience.

Testing this issue was extremely hard, since Google Play seemingly doesn’t provide any indication that it was fixed. If you have any questions feel free to ask.


Thanks! I’ll be doing an update submission in a day or two and I’ll let you know if I hear/see anything regarding this issue. 


any chance we can get info on what the underlying issue was?  and the fix?  Might help with some native mode issues.



Has anyone tried uploading an APK with a Corona build older than 3145, to see if it gets a path traversal warning/rejection?  Just trying to see if there is any way to know whether the fixed build is accepted by Google.

@dislam, problem is the email says “Starting January 16th, 2018, Google Play will block publishing of any new apps or updates that contain this path traversal vulnerability.” so they may not say anything until January, even if the issue is still present in an older build. Makes it tough to know for sure!

You can check whether the issue has been fixed by going through the pre-launch report in the Dashboard. 


In the attachment you can see that app version 129, which was built with Corona Build 3145, has been cleared ok. 

I would also like to know what used this too happen. I have over ten apps marked that were built a good while ago on an old build. My issue is that some of the apis have been updated and it would take many days to update them to the latest build. So Iam thinking if the cause can be resolved by removing something or adding something to build settings or manifest it would greatly help. An explanation of the cause and how it was rectified again would be most helpful.

[quote name=“Sheekore” post=“366917” timestamp=“1506148232”]You can check whether the issue has been fixed by going through the pre-launch report in the Dashboard.    attachicon.gif Screenshot (3).png .   In the attachment you can see that app version 129, which was built with Corona Build 3145, has been cleared ok. [/quote] Great, thank you. This wasn’t enabled for any of my apps. Looks like I have to select the “Opt In” to enable it for future builds.

It is always worth updating your apps. Corona makes it extremely easy. If you are using some old framework, you can always download it and still use it, even if it is not in the Core distribution anymore. Just drop it to root folder of sources and you’re good, for example, here is storyboard.lua. If you need to migrate really old Google IAP plugin or something, we have easy to follow guides on how to do that.

Updating your apps would make them look better on newer Android phones, and generally helps Google Play Store placement.

But if you can not rebuild app, I made not-so-simple instructions on how you can actually manually edit manifest to “fix” this vulnerability. Make sure to test your app after making this changes:

In nutshell, I use apktool to decompile apk, then edit it’s manifest, then recompile and re-sign it.

Again: do not do that unless you absolutely must to.

If you use the apktool to manually edit the manifest, do you have to do this everytime you do a build or is the manifest somewhere in my app resources and once you change it once it’s changed forever?

If you plan to build your app and then use APK took, you should seriously consider building with 3145, where this is just fixed.


thanks for this, successfully updated 4 apps this way as I really wouldve had to make some serious changes.

Moved up to 3145 now for the rest.

Thanks for a nicely detailed response :slight_smile: