Path traversal security vulnerability on Google Play

I am terribly sorry that this is happening. I was sure I fixed this issue literally 3 years ago. I committed even more check for path traversal and started a new build. It would be ready in about 2 hours, depending how loaded build servers are.

If your latest build is very old and you are unable to build a new one for some reason, consider editing the APK, and signing it again. Don’t do it unless absolutely necessary.

1 Like

New build with possible fix was just published. Can anyone very do if problem goes away with it?

Thanks for the update @vlads :+1:. We will build with the new version and submit. I will let you know if this build gets accepted.

1 Like

Yes I will try it.

P.S.
By the way, Google scolded me that the one I gave in the latest version of Solar2D last night hasn’t changed.

  1. Compile as usual,
  2. Test execution is normal,
  3. After uploading to Google Play …
    I was told that an older version remained in open testing and could not be reviewed.
    However, the open test seems to be indelible at the moment, and I sent an email asking what to do.
    (Here now.)

Thank you @vlads. Tomorrow is the earliest we will be able to get a new build submitted. I will keep everyone posted.

Just chiming in here quick:

From what I’ve understood based on having followed several topics like this over the years is that Google often targets old/unavailable builds too.

If you have some old Corona era builds in your internal beta track (or related), then get rid of all such builds first. While these builds aren’t technically available to the public, they may still get flagged by Google and can cause your apps to be removed from the store. In these situations, updating your current production build wouldn’t even resolve the issue because the problem isn’t with the current build(s), but with some old build that has been forgotten in the Google Play Developer Console several years ago.

1 Like

My app they deleted is back, It was published, thank you (^Q^)/

  1. Compiles successfully with 2020.3635
  2. Overall tested and no problem
  3. Released
  4. I was told to remove the old version that remained in the test
  5. There is no way to erase it, so I overwrote it with the latest version
  6. They made it public

The biggest problem for me was that I was told to erase the old version.
No matter how much I searched, I couldn’t find a way to remove the apps listed in OpenTest.
It seems that the answer is correct by overwriting without erasing.

@CyberCatfish thanks for the info. Glad to hear your app was published again.

How did you overwrite the old version? Did you upload a build with the same version name and version code? I thought the system does not allow uploading builds with a lower version code.

In another thread SGS wrote

For future reference (and others that might not know this) to remove an old channel, simply prepare a new release in that channel and do not add an APK. When you publish the update that channel will disappear.

Also, if it not a public channel you can put like hello world application there or something

We submitted an update built with version 2020.3635 and it got approved, so our app is live again.

Maybe the fix on 3635 did the trick, or maybe the problem was with older apks still present in Closed Testing tracks as @XeduR said.

In any case the problem is fixed now. Thanks everyone for your help.

We had same results as @elvo. Built with 3635 and Google accepted it after 4 days of being in limbo and the app out of the store. Thanks for the “fix” @vlads. Happy New Year!

We released a new game with that build and it seems it’s fixed. Thanks Vlad.