Warning from Google about libpng

ubj3d.android · June 15, 2016, 6:28pm

Got this warrning from Google

Security alert

Your app is using a version of libpng containing a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Joshua_Quick · June 15, 2016, 6:52pm

I think this security warning is being triggered by a plugin’s usage of the libpng library.

Can you list out all of the plugins you are using please?

ubj3d.android · June 15, 2016, 7:11pm

Here it is:

plugins =

{

[“CoronaProvider.analytics.flurry”] = { publisherId = “com.coronalabs”, },

[“plugin.google.play.services”] = {publisherId = “com.coronalabs” },

},

Not sure if we commented out teh flurry but Google Play Service is used for sure.

Joshua_Quick · June 15, 2016, 7:57pm

Okay. We’ll check it out on our end.

One last question. How long did it take for Google to notify you about this after uploading an APK?

borriero · June 16, 2016, 5:19pm

Same problem here.

JBean1 · June 16, 2016, 6:03pm

We had the same email, and plug-ins used were:

plugin.google.iap.v3

CoronaProvider.ads.admob

Let us know if we can update using the current plug-ins to remove the error - I may run a test now to see if that helps just by updating the build.settings

ubj3d.android · June 16, 2016, 6:46pm

The game is uploaded long time ago.

Would recompiling with newer version of Corona help?

JBean1 · June 16, 2016, 6:51pm

I tried recompiling with a new version with updated plug-ins, we’ll see if the flag gets removed, but the apps were at least 2-3 years old that were flagged.

Joshua_Quick · June 16, 2016, 7:06pm

We do use libpng’s source compiled directly within our own Corona library. I would just be surprised that Google actually scans the binary internals of all *.so libraries in order to figure this out. I figured that Google would simply be looking for a “libpng.so” file, which a plugin might include. That would be the most likely culprit. Unfortnately, none of Corona Labs’ APKs on Google Play have been flagged yet. We’ve uploaded 2 more yesterday to see if it that’ll trigger a response as well. The first step is to reproduce this Google Play warning on our end (identify the root cause) in order to resolve it.

We are also prepping a new daily build to switch to libpng source code that’s not on Google’s naughty list. But like I said above, we can’t guarantee this will resolve anything until Google issues a warning to us as well.

We’ll keep you guys posted.

JBean1 · June 16, 2016, 7:17pm

It seems like the common denominator of all the apps that have been flagged, at least with us, have been from around February to July of 2014, and they have the old admob plug-in in there, as well as google iAP v3.

Could either of those plug-ins have caused the issue?

It definitely seems like admob could have been the culprit, but that’s the time period of all the apk’s that we had flagged.

We’ve updated a few, and will see if the flag gets removed in the next 24 hours, and will post an update here if they do!

firemaplegames · June 16, 2016, 7:34pm

If it helps, I got the email as well. I submitted the apps last year and I’m not using any plugins.

JBean1 · June 16, 2016, 7:59pm

The flags were updated and removed within an hour after publishing, so just updating with the latest Corona build should resolve it for everyone

We of course had to go in and update the build.settings on games with the older version of the admob plug-in, but for anyone else that had these errors, just a simple update should do the trick

Joshua_Quick · June 15, 2016, 6:52pm

I think this security warning is being triggered by a plugin’s usage of the libpng library.

Can you list out all of the plugins you are using please?

ubj3d.android · June 15, 2016, 7:11pm

Here it is:

plugins =

{

[“CoronaProvider.analytics.flurry”] = { publisherId = “com.coronalabs”, },

[“plugin.google.play.services”] = {publisherId = “com.coronalabs” },

},

Not sure if we commented out teh flurry but Google Play Service is used for sure.

Joshua_Quick · June 15, 2016, 7:57pm

Okay. We’ll check it out on our end.

One last question. How long did it take for Google to notify you about this after uploading an APK?

borriero · June 16, 2016, 5:19pm

Same problem here.

JBean1 · June 16, 2016, 6:03pm

We had the same email, and plug-ins used were:

plugin.google.iap.v3

CoronaProvider.ads.admob

Let us know if we can update using the current plug-ins to remove the error - I may run a test now to see if that helps just by updating the build.settings

ubj3d.android · June 16, 2016, 6:46pm

The game is uploaded long time ago.

Would recompiling with newer version of Corona help?

JBean1 · June 16, 2016, 6:51pm

I tried recompiling with a new version with updated plug-ins, we’ll see if the flag gets removed, but the apps were at least 2-3 years old that were flagged.

Joshua_Quick · June 16, 2016, 7:06pm

We do use libpng’s source compiled directly within our own Corona library. I would just be surprised that Google actually scans the binary internals of all *.so libraries in order to figure this out. I figured that Google would simply be looking for a “libpng.so” file, which a plugin might include. That would be the most likely culprit. Unfortnately, none of Corona Labs’ APKs on Google Play have been flagged yet. We’ve uploaded 2 more yesterday to see if it that’ll trigger a response as well. The first step is to reproduce this Google Play warning on our end (identify the root cause) in order to resolve it.

We are also prepping a new daily build to switch to libpng source code that’s not on Google’s naughty list. But like I said above, we can’t guarantee this will resolve anything until Google issues a warning to us as well.

We’ll keep you guys posted.