Path traversal security vulnerability on Google Play

vlads · September 25, 2017, 3:08pm

Welcome! Thank you for using Corona.

Again. My APK hacking is just, exclusively so you can re-submit your existing apps you absolutely 100% can not update. So you may download APK, hack it and resubmit. This is not for building APK with older build and submitting it again.

pbozzone0 · September 26, 2017, 1:07pm

Hi, I have compiled my apk with version 2017.3135 and two days ago I upload the new apk in the console of Google Play and continues to report that the vulnerability problem persists.

What can happen?

rob · September 26, 2017, 3:19pm

We should have this addressed in daily build 3145 or later.

Rob

JBean1 · September 27, 2017, 6:45pm

We have been able to update our apps successfully, but we have quite a few to update.

Does this appear to be a mandatory thing that google wants updated by a specific date?

From what we gathered in the email, it seems like it’s not mandatory, but if we were to push any updates after January (or whatever date was mentioned), that we would have to fix the issue.

giacinto.attanasio · October 6, 2017, 12:43am

Hi @Rob,

I have updated my apps with the 3156 but I can still see the warning. Any suggestion about? How could I solve it?

Thanks a mil

g

admin199 · October 6, 2017, 8:31am

Hi,

Apparently the issue not fixed in the Enterprise version yet (latest build is 3086):

https://developer.coronalabs.com/downloads/daily-builds

Can you please update the Enterprise version as well ? We have a lot of apps built with Enterprise version and we need to fix the Google Play issue.

Thanks!

rob · October 6, 2017, 1:17pm

There isn’t an “Enterprise” any longer. It’s now called “Native builds”. It’s in the same download as the Corona DMG file. Install Corona like you would the simulator, go to /Applications/Corona-nnnn (where nnnn is the daily build number), and you will find a folder there named “Native”. Run the “Setup Corona Native” if you’re going to use new “App” based projects. Run “Setup Corona Enterprise” so your older Enterprise based App projects will run. But you will be on a new version of Corona when you do.

Rob

jeff15 · October 6, 2017, 2:32pm

Not sure if this is your issue, but I updated two apps and one immediately did not show the warning but the other still did after a day or two. But, then the warning disappeared. So, perhaps there is a delay in how Google is checking this. Might be worth waiting another day or two.

bubblebobble · October 6, 2017, 3:00pm

If you hover over the app in the developer console it will state which version apk has the issue.

I have updated mine, and there is a delay as expected, just takes time for the issue to propagate through.

You could also try releasing it as an alpha or beta build and run the security check there

vlads · October 6, 2017, 3:04pm

It took about 2 days for my test app for issue to go away. Also, if any of your live binaries have the issue, it would show exclamation mark in console.

To check if issue is gone, I recommend going to Release management -> Pre-launch report -> SECURITY.

You may have to activate Pre-launch reports and submit another build to check it out…

gsp · November 5, 2017, 5:45pm

I just updated with 3167 and google show me the warnig too!!!

Security alert

Your app is using a content provider with an unsecured openFile implementation. See this article in the Google Help Center for details.

Vulnerable classes:

com.ansca.corona.storage.FileContentProvider

Fix the problem before this date: 01/15/2018

It affects version 222 of the APK.

I use this plugins:

plugins =

{

[“CoronaProvider.ads.iads”] =

{

publisherId = “com.coronalabs”,

supportedPlatforms = { iphone=true, [“iphone-sim”]=true },

},

[“CoronaProvider.ads.vungle”] =

{

publisherId = “com.vungle”,

},

[“plugin.fbAudienceNetwork”] =

{

publisherId = “com.coronalabs”,

supportedPlatforms = { iphone=true, android=true }

},

[“CoronaProvider.native.popup.social”] =

{

publisherId = “com.coronalabs”

},

[“plugin.facebook.v4a”] =

{

publisherId = “com.coronalabs”

},

[“plugin.google.play.services”] =

{

publisherId = “com.coronalabs”,

supportedPlatforms = { android=true }

},

[“CoronaProvider.gameNetwork.google”] =

{

publisherId = “com.coronalabs”,

supportedPlatforms = { android = true }

},

[“plugin.google.iap.v3”] =

{

publisherId = “com.coronalabs”,

supportedPlatforms = { android = true }

},

gsp · November 5, 2017, 5:53pm

To check if issue is gone, I recommend going to Release management -> Pre-launch report -> SECURITY.

THANKS … now it’s ok!!!

jhoudoris · January 10, 2018, 1:02pm

Download the last version of corona, rebuild and publish a new version.

This fix for me.

Using Corona-3195.

runewinse · September 22, 2017, 11:49am

Same thing happens to me. All my corona apps on Google Play are getting a warning!

carloscosta · September 22, 2017, 1:05pm

yeap, same here. i believe is related to website links we have on the apps. not from plugins. at least on my case i suspect that.

davida6 · September 22, 2017, 1:17pm

Trying to narrow down whether this is a “generic” io.open issue or in one of the plugins. (like zip)

Also, would adding exported=false to the android table in build.settings get added to the manifest?

michael714 · September 22, 2017, 1:58pm

Same problem here. Please help, Corona!

latyl1 · September 22, 2017, 2:02pm

The same for me

vlads · September 22, 2017, 2:06pm

Hey!

We are aware of this issue and trying to solve & test it right now. I will post updates.

jeff15 · September 22, 2017, 2:43pm

Thanks vlads, I also have received a warning from Google.

Cheers,
Jeff