Path traversal security vulnerability on Google Play

Hello everyone! Daily build 3145 was just published. Only change is closing mentioned vulnerability. Thank you for your patience.

Testing this issue was extremely hard, since Google Play seemingly doesn’t provide any indication that it was fixed. If you have any questions feel free to ask.

Thanks!

Thanks! I’ll be doing an update submission in a day or two and I’ll let you know if I hear/see anything regarding this issue. 

@vlads,

any chance we can get info on what the underlying issue was?  and the fix?  Might help with some native mode issues.

thanks

Dave

Has anyone tried uploading an APK with a Corona build older than 3145, to see if it gets a path traversal warning/rejection?  Just trying to see if there is any way to know whether the fixed build is accepted by Google.

@dislam, problem is the email says “Starting January 16th, 2018, Google Play will block publishing of any new apps or updates that contain this path traversal vulnerability.” so they may not say anything until January, even if the issue is still present in an older build. Makes it tough to know for sure!

You can check whether the issue has been fixed by going through the pre-launch report in the Dashboard. 

.

In the attachment you can see that app version 129, which was built with Corona Build 3145, has been cleared ok. 
 

I would also like to know what used this too happen. I have over ten apps marked that were built a good while ago on an old build. My issue is that some of the apis have been updated and it would take many days to update them to the latest build. So Iam thinking if the cause can be resolved by removing something or adding something to build settings or manifest it would greatly help. An explanation of the cause and how it was rectified again would be most helpful.

[quote name=“Sheekore” post=“366917” timestamp=“1506148232”]You can check whether the issue has been fixed by going through the pre-launch report in the Dashboard.    attachicon.gif Screenshot (3).png .   In the attachment you can see that app version 129, which was built with Corona Build 3145, has been cleared ok. [/quote] Great, thank you. This wasn’t enabled for any of my apps. Looks like I have to select the “Opt In” to enable it for future builds.

It is always worth updating your apps. Corona makes it extremely easy. If you are using some old framework, you can always download it and still use it, even if it is not in the Core distribution anymore. Just drop it to root folder of sources and you’re good, for example, here is storyboard.lua. If you need to migrate really old Google IAP plugin or something, we have easy to follow guides on how to do that.

Updating your apps would make them look better on newer Android phones, and generally helps Google Play Store placement.

But if you can not rebuild app, I made not-so-simple instructions on how you can actually manually edit manifest to “fix” this vulnerability. Make sure to test your app after making this changes:

In nutshell, I use apktool to decompile apk, then edit it’s manifest, then recompile and re-sign it.

https://gist.github.com/Shchvova/41628494a2db1dcee611535f8d185b48

Again: do not do that unless you absolutely must to.

If you use the apktool to manually edit the manifest, do you have to do this everytime you do a build or is the manifest somewhere in my app resources and once you change it once it’s changed forever?

If you plan to build your app and then use APK took, you should seriously consider building with 3145, where this is just fixed.

@Vlads,

thanks for this, successfully updated 4 apps this way as I really wouldve had to make some serious changes.

Moved up to 3145 now for the rest.

Thanks for a nicely detailed response :slight_smile:

Welcome! Thank you for using Corona.

Again. My APK hacking is just, exclusively so you can re-submit your existing apps you absolutely 100% can not update. So you may download APK, hack it and resubmit. This is not for building APK with older build and submitting it again.

Hi, I have compiled my apk with version 2017.3135 and two days ago I upload the new apk in the console of Google Play and continues to report that the vulnerability problem persists.

What can happen?

We should have this addressed in daily build 3145 or later.

Rob

We have been able to update our apps successfully, but we have quite a few to update.

Does this appear to be a mandatory thing that google wants updated by a specific date? 

From what we gathered in the email, it seems like it’s not mandatory, but if we were to push any updates after January (or whatever date was mentioned), that we would have to fix the issue. 

Hi @Rob,

I have updated my apps with the 3156 but I can still see the warning. Any suggestion about? How could I solve it?

Thanks a mil

g

Hi,

Apparently the issue not fixed in the Enterprise version yet (latest build is 3086):

https://developer.coronalabs.com/downloads/daily-builds

Can you please update the Enterprise version as well ? We have a lot of apps built with Enterprise version and we need to fix the Google Play issue.

Thanks!

There isn’t an “Enterprise” any longer. It’s now called “Native builds”.  It’s in the same download as the Corona DMG file. Install Corona like you would the simulator, go to /Applications/Corona-nnnn (where nnnn is the daily build number), and you will find a folder there named “Native”. Run the “Setup Corona Native” if you’re going to use new “App” based projects. Run “Setup Corona Enterprise” so your older Enterprise based App projects will run.  But you will be on a new version of Corona when you do.

Rob

Not sure if this is your issue, but I updated two apps and one immediately did not show the warning but the other still did after a day or two. But, then the warning disappeared. So, perhaps there is a delay in how Google is checking this. Might be worth waiting another day or two.