Path traversal security vulnerability on Google Play

@vlads This is the link: https://support.google.com/faqs/answer/7496913

@vlads My goodness. I received the same dreaded email on one of our apps yesterday. It has been REMOVED from the app store as of yesterday. This app makes money every single day so this has an immediate impact on our revenue stream. The “removed” app was last updated a few months ago using Build 3615. It is a 4 year old app. It has used these plugins for several years: gpgs, adcolony, startapp, chartboost, admob, applovin, vungle, fbAudienceNetwork, facebook, flurry, notifications. Please help us soonest with any possible guidance or fixes. Like @elvo, I am worried that this is the tip of a “removal” iceberg (avalanche?) as all of our apps are built similarly. I can forward the entire Google email to you if you wish. Thanks.

Yes please, this was fixed long time ago. Well. I hope it was fixed. But you say that you got this issue with 3615?
Please, forward me an email to support. Either solar2d.com or coronalabs.com.

Please. Paste text so I can google what is going on. Typing from screenshots is not great. Thanks.

OK. This issue was fixed about 3 years ago. According to the link https://support.google.com/faqs/answer/7496913
@elvo provided it seesm that you couldn’t upload app or update with this voulnarability since January 16th, 2018.
So it seems I am missing something here, because lots of people did upload updates to their apps over last 3 years.
Please, forward original emails, with issue descriptions.

I’m sorry I wrote a new thread because I was in a hurry.
forums:#352911
Maybe I have a similar problem, the app has been removed.

My app is also an old app that has been updated for 5 years.
Last time I dealt with multiple apps for this issue.
For most apps, the warning disappeared and the problem went away.
However, only this app continued to display warnings.
I was told in the forum that the warning display may disappear after a delay, and I left it alone.
The app disappeared instead of the warning disappearing :sob:

@vlads I just forwarded the Google Email (along with my build.settings file) telling me of my “removal”. I sent it to an address of yours from some correspondence we had. Also, I examined the timing of the last update (August, 2021) and I am about 95% certain it was made with build #3609. Let me know if you don’t receive my email. Thanks. Steve

BTW – this particular app has been updated 2 or 3 times a year every rear since 2016. So it has had about 6 successful Google Play updates since 2018.
Steve

If it’s the same as my problem, I don’t think the build version is relevant.
My app has also been released since 2015, but the last update date is April of this year.
I’m using the daily builds available at that time.

I released the latest Solar2D recompiled version today, but I think it will probably be rejected.
I am waiting for the answer now.

@vlads In the screenshot I shared from Google Play Console it says “deadline: 01/19/2018”. However, we updated the app without issues on July 9, 2020 (with version 3565). We didn’t get a warning or rejection when we submitted this update.

We haven’t updated the app since then. And now, 5 months later, they remove our app from the store.

I can also forward you the Google Play email, but I am not sure where to send it to.

Wow. This is insane. I’m working on additional check for this vaulnerability. Build is coming up in couple hours.

I am terribly sorry that this is happening. I was sure I fixed this issue literally 3 years ago. I committed even more check for path traversal and started a new build. It would be ready in about 2 hours, depending how loaded build servers are.

If your latest build is very old and you are unable to build a new one for some reason, consider editing the APK, and signing it again. Don’t do it unless absolutely necessary.

1 Like

New build with possible fix was just published. Can anyone very do if problem goes away with it?

Thanks for the update @vlads :+1:. We will build with the new version and submit. I will let you know if this build gets accepted.

1 Like

Yes I will try it.

P.S.
By the way, Google scolded me that the one I gave in the latest version of Solar2D last night hasn’t changed.

  1. Compile as usual,
  2. Test execution is normal,
  3. After uploading to Google Play …
    I was told that an older version remained in open testing and could not be reviewed.
    However, the open test seems to be indelible at the moment, and I sent an email asking what to do.
    (Here now.)

Thank you @vlads. Tomorrow is the earliest we will be able to get a new build submitted. I will keep everyone posted.

Just chiming in here quick:

From what I’ve understood based on having followed several topics like this over the years is that Google often targets old/unavailable builds too.

If you have some old Corona era builds in your internal beta track (or related), then get rid of all such builds first. While these builds aren’t technically available to the public, they may still get flagged by Google and can cause your apps to be removed from the store. In these situations, updating your current production build wouldn’t even resolve the issue because the problem isn’t with the current build(s), but with some old build that has been forgotten in the Google Play Developer Console several years ago.

1 Like

My app they deleted is back, It was published, thank you (^Q^)/

  1. Compiles successfully with 2020.3635
  2. Overall tested and no problem
  3. Released
  4. I was told to remove the old version that remained in the test
  5. There is no way to erase it, so I overwrote it with the latest version
  6. They made it public

The biggest problem for me was that I was told to erase the old version.
No matter how much I searched, I couldn’t find a way to remove the apps listed in OpenTest.
It seems that the answer is correct by overwriting without erasing.

@CyberCatfish thanks for the info. Glad to hear your app was published again.

How did you overwrite the old version? Did you upload a build with the same version name and version code? I thought the system does not allow uploading builds with a lower version code.