[RESOLVED] VERY disturbing! Hidden network traffic by Corona SDK breaks Jellybean.

I’ve posted a few days ago that we received emails from clients with Jellybean installed about app crashes.

The “good” news are we have managed to find the problem.
The BAD news are, we have no way of solving it.

In general anyone that uses apktool/multitool to change the manifest xml file to remove unused permissions will find that their application crashes sporadically when running on Android 4.1.

The reason is a change in the behavior of the OS when an unauthorized request is made. In our case we are targeting toddlers and children and we had to remove all the permissions that were considers as a privacy concern to our clients. Meaning no identity/location/network access what so ever.

We did of course disable the dashboard (with launchPad = false in the config.lua) and then we unpacked our APK and packed it back without all the permissions.
We are not using any extended library like OF, Flurry or even IAP! we are just using the plain graphics library (display.*, etc) we expect ZERO network traffic.

On any Android version before 4.1 we had no issues. But on 4.1 we get a lot of exceptions sent to our developer console. They all share the same stack trace:

java.lang.SecurityException: Permission denied (missing INTERNET permission?)  
at java.net.InetAddress.lookupHostByName(InetAddress.java:418)  
at java.net.InetAddress.getAllByNameImpl(InetAddress.java:236)  
at java.net.InetAddress.getAllByName(InetAddress.java:214)  
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:137)  
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)  
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)  
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)  
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)  
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)  
at com.loopj.android.http.AsyncHttpRequest.run(Unknown Source)  
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1076)  
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:569)  
at java.lang.Thread.run(Thread.java:856)  
Caused by: libcore.io.GaiException: getaddrinfo failed: EAI\_NODATA (No address associated with hostname)  
at libcore.io.Posix.getaddrinfo(Native Method)  
at libcore.io.ForwardingOs.getaddrinfo(ForwardingOs.java:55)  
at java.net.InetAddress.lookupHostByName(InetAddress.java:405)  
... 12 more  
Caused by: libcore.io.ErrnoException: getaddrinfo failed: EACCES (Permission denied)   

Our conclusion is that versions prior to 4.1 just silently ignored unauthorized internet access while Jellybean throws a hard exception that crashes Corona SDK.
I have NO idea why such traffic is generated! When our clients complained Corona has “spyware” (they found out we are using Corona from the Corona badge on our site) in it we removed all these permissions and replied to them defending Corona and ourselves and they all were happy with the result. Now how can we explain adding back intrusive permissions?

Our only solution to this would be to enable the INTERNET permission but we are going to receive a lot of bad client feedback for such a move. Sadly, I don’t think we have a choice with the fast deployment of 4.1.

So, Corona PLEASE support us
I’m sure this issue is going to affect a LOT of other customers as well (I’ve learned how to do it on this forum…). If you can on your side “try” and “catch” these exceptions at the java level it should solve this I think.
[import]uid: 80469 topic_id: 28907 reply_id: 328907[/import]

Why in the world does Corona send anything not authorized by the developer over the net? Need some explanation here from the staff, please. [import]uid: 160496 topic_id: 28907 reply_id: 116418[/import]

+10000000 Hello Corona stuff?! [import]uid: 12704 topic_id: 28907 reply_id: 116475[/import]

Surely it’s something to do with the analytics service they provide? [import]uid: 87794 topic_id: 28907 reply_id: 116476[/import]

my guess is that its the dashboard analytics thing. Dont think you can turn that of as far as I know. Hopefully someone from Corona can explain it. [import]uid: 17969 topic_id: 28907 reply_id: 116477[/import]

If the analytics is a “service”, then the developer should be able to turn it off. Unless it’s a service for Corona, and not for the developer. Which would be fine, if Corona was a freebee - you expect this kind of thing of freebees. Not of something you pay for.

Look, there are a LOT of paranoiacs out there who are spurred on by all kinds of articles about the nefarious net companies gathering data on them. You and I (well, I and maybe you) know that the data gathered is always aggregate, not personalized, and there are maybe a handful of programs out there that are spyware that act and serve as legit apps, but the CUSTOMERS do not know this. The media has been buzzing into their ears about spyware, and if they see an educational game app that says it needs access to the phone contacts when it installs, that is what they will see it as - spyware. Even worse - spyware that wants to spy on their kid. Which leads to complaints, one-star ratings, and demands for refunds.

Seriously Corona - are you guys this clueless about this? I have been a client-side application developer (in financial markets, not iOS apps, but still) for decades, and any HINT that there is some kind of side-communication going on in your program will decimate your user base. And *especially* with the review system in place like there is for apps where just a few of your users have to put the dreaded s-word (“spyware”) in the review, and it will scare off 90% of potential buyers of the app. [import]uid: 160496 topic_id: 28907 reply_id: 116479[/import]

@mike470, you’re spot on!
This is exactly what happened to us. We got featured on Amazon and got 150,000 downloads in one day just to receive tens of reviews by paranoid users that thought we are collecting data on them. This killed our rating and download stats for a few days… After we removed the permissions it silenced these voices.

But now we are afraid to get into the same situation again and worse! (some users replied to us that they still don’t believe us and that they think we’ll add these permissions again in the future…)
[import]uid: 80469 topic_id: 28907 reply_id: 116480[/import]

@borgb - “my guess is that its the dashboard analytics thing”

Yeah but it use phone and internet permission so lots of users just don’t download your app because of this settings. Personally I don’t need analytics. [import]uid: 12704 topic_id: 28907 reply_id: 116481[/import]

@gury

Are you saying that

[lua] launchPad = false [/lua]

does nothing?

What about androidPermissions as in

[lua]settings =
{
:
androidPermissions =
{
“android.permission.ACCESS_FINE_LOCATION”,
“android.permission.INTERNET”
},
}[/lua]

Does this not affect permissions?
[import]uid: 84768 topic_id: 28907 reply_id: 116502[/import]

hey @jfb,

The only thing I know launchPad=false does is to remove my app from the site’s launchpad. as for network traffic, I was sure it will be removed but now I think at least some traffic is still there, I cant tell what is really being sent.

Not really sure what you meant by the rest of your comment, adding the androidPermissions clause will add them to your androidmanifest.xml
what we were trying to do is remove them…
(As a matter of fact, as far as I know, Corona defaults to have the INTERNET permission on even if you dont add that in your androidPermissions clause…)

Just to make everything clear. no network is being done in our case cause we removed the permissions. but network traffic is trying to happen!! and we only found out about this because in 4.1 when this scenario happens you get a hard exception which crashes Corona SDK.

I hope this helps.
I will also be super happy to admit I was wrong if someone explains to me where…

Gury [import]uid: 80469 topic_id: 28907 reply_id: 116506[/import]

I was thinking [lua]androidPermissions=nil[/lua] but I guess that would be too simple!
[import]uid: 84768 topic_id: 28907 reply_id: 116517[/import]

I’d like to hear from Corona’s reps on this. I have a (4 billion + / year) client I am trying to sell on this API but ANY whiff of network traffic is a total non-starter for them.

Guys, unaccounted for network traffic AUTOMATICALLY fails a security audit. No retailers could use your device as it would fail PCI compliance.

We need an answer / explanation on this one.

Best practice would be NO unauthorized traffic at any time unless explicitly allowed by the developer. [import]uid: 141438 topic_id: 28907 reply_id: 116532[/import]

Have you filed a bug report with Corona Labs? Posting to a forum is no guarantee of getting their attention. [import]uid: 19626 topic_id: 28907 reply_id: 116536[/import]

As far as I can tell this is not a bug but a desired behavior Corona intended for. I just want to change it or have an option to do it like many other users. [import]uid: 80469 topic_id: 28907 reply_id: 116537[/import]

Sigh… The report a bug function REQUIRES me to submit code to reproduce a bug.

Since I’m just asking for follow up there seems no way to get their attention.

I’ll assume we’ll see more issues like this as Corona attempts to sell to Enterprise level accounts. The two types of developers are VERY different and Enterprise is very careful who / when they release any proprietary code into the wild.
[import]uid: 141438 topic_id: 28907 reply_id: 116539[/import]

Have you tried this?

http://www.ludicroussoftware.com/blog/2012/05/08/remove-unused-libraries-from-corona-apps/

(in principle one could edit the .smali files to remove web traffic)
[import]uid: 84768 topic_id: 28907 reply_id: 116546[/import]

@ rdytmire

I think if [lua]launchPad = false[/lua] does not switch of analytics then this IS a bug!
[import]uid: 84768 topic_id: 28907 reply_id: 116552[/import]

Since you know what causes the problem, you should be able to write a small app that demonstrates it. You don’t need to submit your entire app. [import]uid: 19626 topic_id: 28907 reply_id: 116562[/import]

I don’t see the point in filing a bug. No one said the traffic is generated by analytics.

The only thing I know is that there is traffic when I’m not expecting it. Analytics is one option that was mentioned here but got no confirmation from any official source.

I also do not think it’s any kind of regression, I think it always worked this way and was only caught because of an OS behavior change + us unpacking the APK with an external tool.

This thread was forwarded to the right people by Peach so I will just wait for the official response…

Regardless, I cannot reproduce this myself because I don’t have a Jellybean device. [import]uid: 80469 topic_id: 28907 reply_id: 116565[/import]

Looking into this, as what you are saying doesn’t makes sense. The launchpad setting in config.lua should override unless you are using a service from one of our launchpad partners, e.g. inneractive.

Just so you know we take privacy very seriously. We even had our lawyers draft up a privacy policy designed for you to use as an app developer (this is distinct from the privacy policy that all web sites post) so you can give something to end users.

When we last looked, this is something no one other app platform is doing:

http://www.coronalabs.com/privacy-policy/privacy-policy-for-app-users/
[import]uid: 26 topic_id: 28907 reply_id: 116582[/import]