Warning from Google Play about app using Vungle version prior to 3.3.0?

Hi,

I just noticed I received warnings from Google Play about a few of my apps that use vungle. Here is the warning:

Your application utilizes a version of the Vungle ad library containing a security vulnerability. The vulnerability can enable attackers to launch a successful man-in-the-middle attack against user devices by proxying network traffic and injecting a payload extracted by the Vungle app.

The vulnerability was addressed in Vungle v3.3.0.  Please upgrade to Vungle v3.3.0 or higher as soon as possible.  To check your Vungle version, you can do a grep search for “VungleDroid/”. For more information about the vulnerability, please seehttps://gist.github.com/Fuzion24/6535f8b9dc2a51745173.

The latest version of Vungle can be downloaded from https://v.vungle.com/dev/android. For help upgrading, see https://support.vungle.com/hc/en-us/articles/204222794-Get-started-with-Vungle-Android-SDK. For other technical questions, please use https://www.stackoverflow.com/questions.

To confirm that you’ve upgraded correctly, upload the updated version to the Developer Console and check back after five hours.

Please note, while it’s unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered dangerous productsin violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Before publishing applications, please ensure your apps’ compliance with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, visit this Google Play Help Center article.

I have not updated these apps for awhile so I don’t know what version they are using. What version is corona sdk using currently? If I rebuild will it meet these requirements?

Thanks

We’d like to know as well!

I rebuilt the app and submitted the update to google play. It appears the warning has gone away so I guess corona SDK is building with an acceptable version of vungle now. Just thought I’d give an update for anyone looking at this issue.

Can anybody from Corona confirm a new build is fixing the problem and is using a Vungle version 3.3.0+ please?

Can anybody from Corona confirm a new build is fixing the problem and is using a Vungle version 3.3.0+ please? 

Vungle will need to provide us a new plugin.  I’ll ask if there’s been any talk about it.

Rob

I just verified that updating to the latest build fixes this issue. Not sure if just rebuilding will update the plugin to its latest version or not.

To fix I did the following:

Updated to latest build

Added these lines to my ad handler

M.ads.init("vungle", M.vungleID, M.adListener) print("Vungle Version:"..M.ads.getVersionString())

Built APK

Loaded and installed to test device

Attached device to Monitor (you can use DDMS also)

filtered monitor output with “tag:corona”

Verified that updated Vungle version printed to console “Vungle Version:2.1.0 (VungleDroid/3.3.0)” VungleDroid is the SDK version

published APK to Play Store

Waited 6 hours – Warning gone 

Hi Everyone!

I’d like to add to this - basically, ss.warren6 is correct. As long as you are on Vungle’s Android SDK version 3.3.0 or higher, this issue will be resolved. 

To check which version you are on, use this:

vungle.getVersionString()

Make sure it returns VungleDroid/3.3.0 or higher. If not, update to the latest build.

We also have an article in our Help Center which explains this Security Vulnerability in Android SDKs prior to 3.3.0 in further detail.

If you have any questions, you can contact us at tech-support@vungle.com.

Cheers!

Jordyn Chuhaloff

Developer Programs Engineer

Vungle

We’d like to know as well!

I rebuilt the app and submitted the update to google play. It appears the warning has gone away so I guess corona SDK is building with an acceptable version of vungle now. Just thought I’d give an update for anyone looking at this issue.

Can anybody from Corona confirm a new build is fixing the problem and is using a Vungle version 3.3.0+ please?

Can anybody from Corona confirm a new build is fixing the problem and is using a Vungle version 3.3.0+ please? 

Vungle will need to provide us a new plugin.  I’ll ask if there’s been any talk about it.

Rob

I just verified that updating to the latest build fixes this issue. Not sure if just rebuilding will update the plugin to its latest version or not.

To fix I did the following:

Updated to latest build

Added these lines to my ad handler

M.ads.init("vungle", M.vungleID, M.adListener) print("Vungle Version:"..M.ads.getVersionString())

Built APK

Loaded and installed to test device

Attached device to Monitor (you can use DDMS also)

filtered monitor output with “tag:corona”

Verified that updated Vungle version printed to console “Vungle Version:2.1.0 (VungleDroid/3.3.0)” VungleDroid is the SDK version

published APK to Play Store

Waited 6 hours – Warning gone 

Hi Everyone!

I’d like to add to this - basically, ss.warren6 is correct. As long as you are on Vungle’s Android SDK version 3.3.0 or higher, this issue will be resolved. 

To check which version you are on, use this:

vungle.getVersionString()

Make sure it returns VungleDroid/3.3.0 or higher. If not, update to the latest build.

We also have an article in our Help Center which explains this Security Vulnerability in Android SDKs prior to 3.3.0 in further detail.

If you have any questions, you can contact us at tech-support@vungle.com.

Cheers!

Jordyn Chuhaloff

Developer Programs Engineer

Vungle