Path traversal security vulnerability on Google Play

If you hover over the app in the developer console it will state which version apk has the issue.

I have updated mine, and there is a delay as expected, just takes time for the issue to propagate through.

You could also try releasing it as an alpha or beta build and run the security check there :slight_smile:

It took about 2 days for my test app for issue to go away. Also, if any of your live binaries have the issue, it would show exclamation mark in console.

To check if issue is gone, I recommend going to Release management -> Pre-launch report -> SECURITY.

You may have to activate Pre-launch reports and submit another build to check it out…

I just updated with 3167 and google show me the warnig too!!!

Security alert

Your app is using a content provider with an unsecured openFile implementation. See this article in the Google Help Center for details.

Vulnerable classes:

com.ansca.corona.storage.FileContentProvider

Fix the problem before this date: 01/15/2018

It affects version 222 of the APK.

I use this plugins:

plugins =

{

        [“CoronaProvider.ads.iads”] =

        {

            publisherId = “com.coronalabs”,

            supportedPlatforms = { iphone=true, [“iphone-sim”]=true },

        },

        [“CoronaProvider.ads.vungle”] =

        {

            publisherId = “com.vungle”,

        },

        [“plugin.fbAudienceNetwork”] =

        {

            publisherId = “com.coronalabs”,

            supportedPlatforms = { iphone=true, android=true }

        },                   

        [“CoronaProvider.native.popup.social”] =

        {

            publisherId = “com.coronalabs”

        },

        [“plugin.facebook.v4a”] =

        {

            publisherId = “com.coronalabs”

        },

        [“plugin.google.play.services”] =

        {

            publisherId = “com.coronalabs”,

            supportedPlatforms = { android=true }

        },   

   

        [“CoronaProvider.gameNetwork.google”] =

        {

            publisherId = “com.coronalabs”,

            supportedPlatforms = { android = true }

        },

        [“plugin.google.iap.v3”] =

        {

            publisherId = “com.coronalabs”,

            supportedPlatforms = { android = true }

        },

},

To check if issue is gone, I recommend going to Release management -> Pre-launch report -> SECURITY.

THANKS … now it’s ok!!!

Download the last version of corona, rebuild and publish a new version.

This fix for me.

Using Corona-3195.

Screen_Shot_2018_01_10_at_10_59_56.png

Screen_Shot_2018_01_10_at_11_06_12.png

Screen_Shot_2018_01_11_at_10_45_05.png

One of our apps was removed from Google Play today due to Path Traversal vulnerability. Our app is built with Corona version 2019.3565.

The app doesn’t use any plugins and it uses only basic permissions (INTERNET, CHECK_LICENSE, ACCESS_NETWORK_STATE, WRITE_EXTERNAL_STORAGE)

Did anyone else have this problem recently?

I received the same email for an app that has been active in the store for several years and that has been updated with a very recent version of Solar2D.

Is there a setting that we need to apply in build.settings or config.lua?

@vlads do you have any ideas on how to fix this issue? Sooner all later all our apps will be removed from Google Play for the same reason.

This should’ve been fixed like years ago. So weird. Which article it links?

@vlads This is the link: https://support.google.com/faqs/answer/7496913

@vlads My goodness. I received the same dreaded email on one of our apps yesterday. It has been REMOVED from the app store as of yesterday. This app makes money every single day so this has an immediate impact on our revenue stream. The “removed” app was last updated a few months ago using Build 3615. It is a 4 year old app. It has used these plugins for several years: gpgs, adcolony, startapp, chartboost, admob, applovin, vungle, fbAudienceNetwork, facebook, flurry, notifications. Please help us soonest with any possible guidance or fixes. Like @elvo, I am worried that this is the tip of a “removal” iceberg (avalanche?) as all of our apps are built similarly. I can forward the entire Google email to you if you wish. Thanks.

Yes please, this was fixed long time ago. Well. I hope it was fixed. But you say that you got this issue with 3615?
Please, forward me an email to support. Either solar2d.com or coronalabs.com.

Please. Paste text so I can google what is going on. Typing from screenshots is not great. Thanks.

OK. This issue was fixed about 3 years ago. According to the link https://support.google.com/faqs/answer/7496913
@elvo provided it seesm that you couldn’t upload app or update with this voulnarability since January 16th, 2018.
So it seems I am missing something here, because lots of people did upload updates to their apps over last 3 years.
Please, forward original emails, with issue descriptions.

I’m sorry I wrote a new thread because I was in a hurry.
forums:#352911
Maybe I have a similar problem, the app has been removed.

My app is also an old app that has been updated for 5 years.
Last time I dealt with multiple apps for this issue.
For most apps, the warning disappeared and the problem went away.
However, only this app continued to display warnings.
I was told in the forum that the warning display may disappear after a delay, and I left it alone.
The app disappeared instead of the warning disappearing :sob:

@vlads I just forwarded the Google Email (along with my build.settings file) telling me of my “removal”. I sent it to an address of yours from some correspondence we had. Also, I examined the timing of the last update (August, 2021) and I am about 95% certain it was made with build #3609. Let me know if you don’t receive my email. Thanks. Steve

BTW – this particular app has been updated 2 or 3 times a year every rear since 2016. So it has had about 6 successful Google Play updates since 2018.
Steve

If it’s the same as my problem, I don’t think the build version is relevant.
My app has also been released since 2015, but the last update date is April of this year.
I’m using the daily builds available at that time.

I released the latest Solar2D recompiled version today, but I think it will probably be rejected.
I am waiting for the answer now.

@vlads In the screenshot I shared from Google Play Console it says “deadline: 01/19/2018”. However, we updated the app without issues on July 9, 2020 (with version 3565). We didn’t get a warning or rejection when we submitted this update.

We haven’t updated the app since then. And now, 5 months later, they remove our app from the store.

I can also forward you the Google Play email, but I am not sure where to send it to.

Wow. This is insane. I’m working on additional check for this vaulnerability. Build is coming up in couple hours.