For a while now I've had a warning on my developer console regarding a MoPub security vulnerability. It comes from my mediation ad network (Appodeal). However, I have long since receiving this warning removed ALL ads from the application and resubmitted quite a few new apk versions, but the warning persists.
When I say i've removed all ads, I mean all external libraries (including MoPub), all code & anything declared in the manifest. I can't figure out what is lingering in the app that is triggering off this warning. Usually after posting an update the warning will go away for a few hours after submission, and then return. It's doing my head in.
What, precisely, do I need to do to stop this warning message? Thanks in advance.
Here is a Google Help link explaining the issue: https://support.google.com/faqs/answer/6345928
You shouldn't remove Mopub, you just need to update Appodeal sdk.
You can find the link to the new sdk version here (native android): http://www.appodeal.com/sdk/documentation?framework=1&full=1&platform=1#p_2
And also you can write to Appodeal support chat about any technical questions :)
Related
My app is written on android native code and I got this warning on the play store console
Your app "appName" version code "xxxx" includes SDK com.segment.analytics.android:analytics or an SDK that one of your libraries depends on, which collects personal or sensitive data that includes but may not be limited to Advertising ID, Android ID identifiers. Persistent device identifiers may not be linked to other personal and sensitive user data or resettable device identifiers as described in the User Data policy.
ACTION REQUIRED: Upload a new compliant version AND deactivate the noncompliant version.
But I don't have that library on my project, the only libraries related to firebase that I have are these:
"com.google.firebase:firebase-crashlytics:17.4.0",
"com.google.firebase:firebase-analytics:18.0.2",
"com.google.firebase:firebase-perf:20.0.2",
"com.google.firebase:firebase-core:18.0.0",
"com.google.firebase:firebase-auth:20.0.1",
"com.google.firebase:firebase-messaging:21.0.1",
But I don't know how to solve this, should I update all of them and upload my app again and check if I received this warning again or not to see if it was solved? I need to solve this because I won't be able to upload more app versions in the following months.
Thank you for being so helpful, it's really appreciated.
Some people have asked me if I solved this, and the short answer is yes, I did. Unfortunately, nobody gave me a specific answer about how to solve it, and the problem is that I think I used a bazooka to kill a fly.
The process for solving this was this:
I updated all Firebase dependencies, I was using these:
com.google.firebase:firebase-crashlytics,
com.google.firebase:firebase-analytics,
com.google.firebase:firebase-perf,
com.google.firebase:firebase-core,
com.google.firebase:firebase-auth,
com.google.firebase:firebase-messaging
I update them using firebase-bom version 30.3.2
Also, I updated other google dependencies, I'm not 100% sure that this affected the solution, however, I want to document all just in case you are also using them, and you can consider it out.
com.google.android.gms:play-services-auth:20.2.0,
com.google.android.gms:play-services-auth-api-phone:18.0.1,
com.google.android.gms:play-services-analytics:18.0.1,
com.google.android.gms:play-services-base:18.1.0,
com.google.android.gms:play-services-location:20.0.0,
com.google.android.gms:play-services-maps:18.0.1
After using these versions, I uploaded the new build and did not see the problem again in the Google console for this version and later
Sorry for not being specific in the needed dependency to be updated, I didn't have a chance to test the combinations to discover them.
All of sudden google console started throwing an error message saying - "At least one of your app or app bundles contain an actions.xml file."
I have searched my entire app, there is no actions.xml.
Also used Analyze Apk tool of android studio to cross verify if any lib or other module may adding the actions.xml.
Here is one troubleshoot link from google (link) it describe the process To accept the Actions on Google Terms of Service.
But question remains the same that project doesn't contain any actions.xml.
Is it a console bug or I am missing anything.
This was very weird but when I tried to upload the apk after sometime it worked perfectly fine without any error messages.
As I rightly mentioned in the question there was no action.xml and action tag anywhere in my entire project.
It seems to be a console bug in my case.
It was a Google Play Console bug:
Thanks for your patience while our team investigated the behavior you experienced.
They have recently made some changes that should fix the problem. With the recent set of changes, please check to see if you are still experiencing the same issue. If so, I will be happy to see how else we can help.
Please ensure to clear your browser's cache and cookies first using the instructions available in our help center before accessing the Play Console again.
My app is getting rejected again and again with the same policy violation without any more details.
As they are saying my this file is causing the issue
"androidx.fragment.app.FragmentActivity.startActivityForResult"
and but this file is from this library "implementation 'androidx.appcompat:appcompat:1.0.0'".
Which is required by every other apps. and even my another app which is for doctor is using same libraries as my patient app i've cross compared both the apps and didn't find any difference. as compared to my previous release i've not done any other changes except for some additional API changes. if my app is vulnerable to Intent Redirection.
Then anyone can help me find the solution?
Thanks in advance.
I have been received a mail from google, saying that your "We found your app is using a non-compliant version of Vungle SDK".
I search-out about this problem but i can't find-out the solution.
Any-one please help me out to this issue i will be very thank full to you.
I also attached the image of mail.
Our sincerest apologies for the flagging from Google. We understand the pain it can be to update SDKs on short notice. The good news is that all recent Vungle SDKs starting, with Vungle’s SDK 6.5.3, are compliant. More detail below:
The warning message relates to Android sideloading functionality present in only our 6.0-6.4 SDKs and has since been deprecated by Vungle. If you still have a pre-6.5 Android SDK present in your applications please update to the latest version. We learned this includes all tracks (production, beta, QA, etc.) which need to be updated. Please find the latest SDK here and Vungle's FAQ here.
Please always feel free to reach out to our support team for help at tech-support#vungle.com
Please, explain me, what is it?
I have received a message from GP, with this text:
Hello Google Play Developer,
We detected that your app(s) listed at the end of this email are
potentially leaking credentials used to make network requests (HTTP
and FTP).
Please check for cases where you use url-encoded basic access
authentication, for example a URL such as
https://username:password#www.example.com/. We recommend that you
immediately change the credentials and redesign your app to avoid
including them.
Next steps
Sign in to your Developer Console and submit the updated version of your app.
Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.
Exposed developer credentials can allow an attacker to compromise your
systems which puts user data at risk. For other technical questions
about the vulnerability, you can post to Stack Overflow and use the
tag “android-security.”
We’re here to help
If you feel we have sent this warning in error, you can contact our
developer support team.
Regards,
The Google Play Team
I don't understand what a problem with my app, please help me. What should I change in my app?
I was including Appodeal library in my free and premium app. I got this warning recently, I removed Appodeal and no longer have the warning in Google Play. Even though I wasn't using ads in Premium, I was including the Appodeal library in the binary as they are different flavors of the same Android Studio project. Looks like their problem. I had removed Appodeal from my free app a couple days ago for a different reason (https://medium.com/#greenrobotllc/response-to-1-star-review-problem-ads-auto-opening-app-store-on-lolcats-android-f1c7b7991caa#.milc5rcvs). A day or so after the free update to Google, I got this exact email about the premium version which I hadn't updated.
So check your 3rd party libraries.
Andy, Pablo and others wonderful people, who have visited this topic.
The problem was solved recently.
All you need to do - just update Appodeal SDK to the last one (ver. 1.14.15).
You can find it in our docs
Also you can download Android SDK here (Native Android).
Regards,
Andrew
Appodeal Support Team.
I can confirm that If you are using the Appodeal SDK you will get this alert as developer. I have contacted Appodeal support and this is their answer:
Ivan Prokopenko: Hi Pablo! we found the problem. It was problem with network, we contacted with support of network. We'll update SDK in next future, it will solve the problem. but don't worry, it's not critical
mytarget SDK has the same problem like Appodeal SDK. We have contacted mytarget support too and this is their answer:
Hello Yan, Thank you for reaching out.
No credentials and any personal data was involved, so no problem with
leaking any data with our SDK. But to prevent the Google Play to
display the warning yesterday we updated our SDK - latest version is
4.5.1. Here is the change log - "Changed format of internal constant, because of which Google Play could display warning».
So for your next update you can update our SDK. You can download
latest version there -
https://bintray.com/mytarget/maven/mytarget-sdk/view#files/com/my/target/mytarget-sdk
Please let me know if you have any questions.
So check your 3rd party libraries.