[RESOLVED] VERY disturbing! Hidden network traffic by Corona SDK breaks Jellybean.

Thanks for the reply Walter. Although is seems kind of cryptic. What part does not make any sense? They obviously have captured HTTP traffic outbound from the device that the developer did not send. There is no question of this.

I’ve read your privacy statement and I have some questions:

Your privacy statement explicitly says that Corona Labs IS collecting data about usage.

Are you stating that CoronaLabs API data gathering can be completely shut down? What if we want to access HTTPS on our own back end but we want to be 100% sure no other data is sent anywhere else.

Your end-user security statement if for app-users. Not enterprise customers. Enterprise customers have large I.T. departments that are going to pick up this traffic and raise all kinds of red flags. You’ll have a tough time deploying to any kind of P.O.S (Point of sale), financial, or .gov services with an “Always on” data collector. No matter how “passive” it is.

Imagine trying to tell Starbucks that you’ll be collecting data on their app’s usage…do you think that will fly? Not in a million years. That’s marketing data about their customers you’re harvesting (even in aggregate) and that’s a big no-no.

So the bottom line, if a developer wants your API to do NO communicating outside of something they explicitly write is this possible?

To re-phrase: If I open HTTP access on my app is there a way to prevent Corona API from transmitting ANY data I do not explicitly tell it to?

[import]uid: 141438 topic_id: 28907 reply_id: 116586[/import]

@rdtymire, http calls you make explicitly are your own. We would never imagine logging any of that.

The code is structured to do analytics data collection only when launchpad is on. As I mentioned, you can turn it off via a config.lua setting, as long as you don’t use a 3rd party launchpad service.

What doesn’t make sense is it’d still be happening when launchpad is turned off, which seems to be the claim by @gury.traub — that’s what we’re looking into. [import]uid: 26 topic_id: 28907 reply_id: 116594[/import]

Thanks Walter for looking into it,
Let me know if I can provide anything else to help your investigation.

No sure it’s important to you but two examples of games we have which exhibit the problem are called “What’s Different” and “Mix And Match”. To be sure analytics is off I checked the app is not appearing in the dashboard on your site.
I can also assure you we are not using any 3rd party tool that would activate the dashboard.

If you really run into a dead end I’m even willing to send you the source code of one of them (as long as you keep it to yourself )

Let me know,

Thanks again!

PS, everyone is mentioning launchPad as the source of this traffic and surely I have no clue how your code is arranged, but just to clarify I have no way of knowing what the source is. As far as I know it might just be some isolated http request in Corona SDK’s code which has no connection to analytics. [import]uid: 80469 topic_id: 28907 reply_id: 116599[/import]

UPDATE: Good news is that launchpad behaves as expected — no network traffic when you opt out.

@gury.traub, I was not able to reproduce the issue on the Nexus7 running 4.1.

I took the HelloWorld project, added the launchPad=false, removed the permissions (android.permission.INTERNET, android.permission.ACCESS_NETWORK_STATE, android.permission.READ_PHONE_STATE) and there was no issue, no crash. I also tried locking the screen and resuming the app without a problem.

I have to assume there are some network calls in your project that are the culprit.
[import]uid: 26 topic_id: 28907 reply_id: 116616[/import]

I’ll recheck all our games
[import]uid: 80469 topic_id: 28907 reply_id: 116647[/import]

Hi all.

Seems we were bashing Corona SDK for NOTHING…

I’ve investigated more and found that there is an http call hiding in a library we are using (crawlspaceLib) it runs a check to see if there is internet available.

I’m so sorry for your time

Thank Walter for your time and again… sorry!
[import]uid: 80469 topic_id: 28907 reply_id: 116649[/import]

Don’t worry about it gtt, i at least found it an interesting read

Its nice to know the launchpad setting does actually work as expected! [import]uid: 69826 topic_id: 28907 reply_id: 116651[/import]

Yep, that’s good to know

But regardless, I should have checked more on my side and not assume from the beginning this is something in Corona. Our judgment was completely wrong, and for that I have nothing but to be sorry for. Corona has been nothing but great for us… [import]uid: 80469 topic_id: 28907 reply_id: 116659[/import]

@Walter, a quick question

You said

“I took the HelloWorld project … removed the permissions (android.permission.INTERNET, android.permission.ACCESS_NETWORK_STATE, android.permission.READ_PHONE_STATE)…”

how did you remove the permissions? What is the recommended way to do this?

Many thanks!
[import]uid: 84768 topic_id: 28907 reply_id: 116662[/import]

Supposedly you do this using apktool, although I tried it and was not successful.

The procedure is supposed to be, you take the APK file generated by Corona, decompile it using apktool, edit AndroidManifest.xml to remove those permissions and all other extraneous stuff, then rebuild the APK using apktool again, sign it using jarsigner then run it through zipalign and voila! You have a nice clean APK. Except after I do all that, and try to install the resulting file using app installer, it fails to install. No idea why.

The point is, one shouldn’t have to jump through hoops to do that. Corona should allow developers to remove this stuff during the normal build process. Hell, make it a *little* obscure, make it some flag you have to enter in build settings, but make it possible. [import]uid: 160496 topic_id: 28907 reply_id: 116690[/import]

jfb, mike,

Those 3 permissions are in the AndroidManifest.xml file for a reason. We can’t just simply strip them out because a lot of the existing code in Corona and its 3rd party libraries depend on these permissions. Removing them can cause crashes to occur. We already recognize that many Corona developers would like the option to have these permissions removed and it is on our to-do list, but it involves us putting many safe guards in place to prevent crashes and other unexpected behaviors from occurring.

Also, we can’t provide you tech-support once you hack your APK with apktool… or with any 3rd party tool. We will only provide support for APKs built with Corona because that is what we’ve internally tested with, approved, and provided documentation for. Of course, you are free to do what you want with the APK but you are on your own once you’ve modified it… and you really *REALLY* need to know what you are doing when modifying that AndroidManifest.xml file because all of those settings are there for a reason. [import]uid: 32256 topic_id: 28907 reply_id: 116749[/import]

Ok, Joshua, can you explain

1. what “existing code in Corona or 3rd party libraries” needs Internet access if my app doesn’t and launchpad is off?

2. why there are 3rd party libraries included if my app doesn’t use them and didn’t explicitly include them? [import]uid: 160496 topic_id: 28907 reply_id: 116750[/import]

@mike470 you might not be making the API calls, but I can think of the following API calls that need internet permission:

network.request (and the rest of the network api)
display.loadRemoteImage
system.openURL
native.showPopUp
native.showWebPopUp
native.newWebView
native.newVideo
audio.loadStream
media.playVideo (and potentially other media calls)

and a few more I’m missing. Those are all core libraries that are built in (Not loaded by “require”)
[import]uid: 19626 topic_id: 28907 reply_id: 116759[/import]

Robmiracle, as I posted, if i am NOT using ANY Internet-related features like the ones you mentioned, what will removing those permissions break?

I don’t like being treated like a little kid who doesn’t know what’s good for him. If I know that I don’t need certain capabilities, allow me to turn them off! It wouldn’t be a big deal if it was all fairly silent and transparent, like it is on iOS, but on Android the install announces those permissions in big friendly letters to every client, and awakes the paranoia. [import]uid: 160496 topic_id: 28907 reply_id: 116761[/import]

You asked what was using it and I pointed out those are in the core library, not something that can be excluded.

In your case, you can edit the APK and remove them, Corona is just covering their bases and letting you know that whacking on an APK is not something they have the resources to support.

[import]uid: 19626 topic_id: 28907 reply_id: 116767[/import]

Mike,

A Corona APK includes all features and 3rd party libraries that Corona has to offer, whether you use these features or not. Everything is compiled into a single binary and your Corona project files are merely assets within the APK file. With that said, we have to code Corona to assume that every app “might” use every feature. Now, we do have plenty of APIs that already have the permission safe guards in place, such as the camera API which will log/display a warning if the camera or write external storage permissions are missing. That is an example of how we are handling missing permissions the right way.

But there are plenty of areas in our code that blindly assume these 3 permissions are set, such as the APIs that Rob mentioned. Also, almost *all* of our 3rd party libraries such as InMobi, inneractive, and OpenFeint require these 3 permissions as well and may crash without them too. The resulting exception that occurs typically logs something non-intuitive. Typically an OpenGL exception even though the error has nothing to do with OpenGL… other than the fact that the error occurred on the OpenGL thread, which causes a lot of confusion for the Corona developer and our own tech-support group trying to isolate the issue. Bottom line, it can turn into a tech-support nightmare on both sides.

A good example of this, and a real tech-support issue that has happened, is the permission for our vibrate feature. If you forget to set the permission for vibrate, then your app will crash with an OpenGL exception. The error itself doesn’t make any sense and makes it difficult to isolate the issue, which in the end is only a 1 line fix in the “build.settings” file. I believe Rob has had experience with this one. This is an example of a part of the code where we need to put some safe guards in place to make it easier to deal with for everyone.
[import]uid: 32256 topic_id: 28907 reply_id: 116774[/import]

Joshua, I understand what you’re saying - but - it would still be good to allow developers to remove stuff they KNOW they are not using from the manifest without having to go through the rigamarole of apktool. Put an enormous warning up in huge letters when they do it that if they will use these features after removing the permissions, the plagues will descend upon them and their firstborns will be taken away - but still allow it, please.

As it is today, you’re forcing people to fiddle with this stuff themselves, without full knowledge of what to leave in and what to take out, causing more problems. [import]uid: 160496 topic_id: 28907 reply_id: 116777[/import]

I understand Mike. All I can say is that this is on our to-do list to be addressed later. At the moment, we have other commitments to take care of that a lot of Corona developers are counting on us to complete first. [import]uid: 32256 topic_id: 28907 reply_id: 116937[/import]