We run a web application with a Java Script- and an Android front end. We use Google IDs with OAuth for authentication. Everything worked find until today authenticaiton suddenly stopped working. There was no new software version deployed or any operational changes. Now, when a user tries to log on via the browser application, Google issues
401. That’s an error.
Error: disabled_client
The OAuth client was disabled.
Request Details
scope=openid profile email
response_type=code
redirect_uri=https://***.net/signin-google
state=***
client_id=******.apps.googleusercontent.com
That’s all we know.
When logging in via Android App, authentication fails too, GoogleAuthUtil.getToken raises an unspecific exception.
I couldn't find much information when googling for this error message. Some say, one should try to change the application name in the consent screen. This didn't help in my case.
In developer console I noticed, that I cannot create a new Client ID for this project. I always get a technical error ("Server Error Whoops! Our Bad.") with a tracking number. Seems to be related.
I have a total of 7 Client IDs registered for this project and 3 public API access keys.
Is it possible, that Google explicitly disabled our project? That's how it actually feels. For what reason? I didn't get any notification. Our product is an application for access control, nothing special or illegal here.
Any ideas? This is a production environment, so for us the problem is absolutely severe.
Thanks for any help!
In the meantime we found out, that our Android App was removed from the Play Store and we got following notification:
This is a notification that your application, <...>, with package ID <...>, has been removed from the Google Play Store.
REASON FOR REMOVAL: Violation of the Personal and Confidential Information provision of the Content Policy.Please refer to the policy help article for more information.
We don't allow unauthorized publishing or disclosure of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, non-public contacts, or any other information that is not publicly accessible.
We are very careful about the data inside our application and we take privacy and security extremely seriously as the hole app is about security and our customer's trust is absolutely essential. However, we recently introduced a feature that periodically sends the LogCat output to our servers for debugging reasons. Our app is in an early preview state which we make clear in the app description. It's used by a very limited number of people as it can only be used with a special piece of hardware we provide. The LogCat output only contains data from the app itself, no confident data of any kind. We published a couple of related apps and not all have the feature even included but all were suspended. However, we guess that this feature is the reason for removing.
Edit
In the meantime we wrote an appeal via the form provided on Google Play. The ban was removed from Google Play and the related Google OAuth Client shortly after.
We were informed, that our App collects names of running tasks and sends them to our servers, which is not the case. However, we used the crittercism library and the crittercism docs suggest to require the "GET_TASKS" permission, what we did. I don't think, that Crittercism is considered as dangerous as it's used by lots of applications. But maybe the combination of a Logging Service on the one hand and the GET_TASKS permission on the other hand, although not dangerous in our case, triggered some automatic rules at Google.
To fix this we simply removed Crittercism and all related permission requirements as it wasn't very useful for us anyways.
Related
We received the message below from FB regarding our Android app. Our app was originally on the PlayStore but is currently not approved / published. We are still using the Play Store link in the field > 'Android: Google Package Name'. Seems Google may have made a change & this link is no longer valid.
While we work on restoring PlayStore approval, the Android app is available as a direct download. We don't know how long this process will take. My question is, does FB support Android APKs that are not listed on the PlayStore? Is there a way to use a different link in the field > 'Android: Google Package Name'? Our Android users have used FB login to create accounts so we really need to keep this feature active. If anyone has any input here that would be great. cheers
Message from FB:
In order to keep our Facebook platform and community safe, we periodically review apps for compliance. We need the following action from you on your app, (), in order to approve your app’s continued operation on our platform.
URL(s) listed on your app dashboard settings could not be accessed for platform compliance review. Kindly make sure that the following field(s) on your app dashboard are working correctly:
Android: Google Package Name
The corresponding URL(s) should return a successful HTTP status code. You can verify this using the Sharing Debugger.
Sharing Debugger: https://developers.facebook.com/tools/debug/sharing/
Compliant response codes: 200-299
Violating response codes: 100-199, 300-399, 400-499, 500-599
Please also allowlist the user agent strings or the IP addresses (more secure) used by the crawler. For detailed instructions, please visit: https://developers.facebook.com/docs/sharing/webmasters/crawler.
For Google Package Name(s) and iPhone Store ID(s), please make sure that these are publicly available.
Kindly apply the requested changes to prevent your app from being restricted on our platform. You can check your app dashboard to verify if the violating fields are now compliant, otherwise you will receive an automated alert as soon as we've detected that the fields are compliant.
Thank you for your cooperation in our continued efforts to keep our platform safe.
I developed an app using the platform codename one, after submit the app in Play Store I received the following warning email:
*"We detected that your app(s) listed at the end of this email are using an unsafe implementation of the WebViewClient.onReceivedSslErrorHandler. You can also see the list of affected apps, as well as details such as version numbers and class names, on the Alerts page in your Developer Console.
Your current implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.
What’s happening
Beginning November 25, 2016, Google Play will block publishing of any new apps or updates that contain this vulnerability. Your published APK version will remain unaffected, however any updates to the app will be rejected unless you address this vulnerability.
Action required
To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.
If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.
After making changes, sign in to your Developer Console and submit the updated version of your app.
Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly."*
I was researching but unfortunately I didn't find anything about that. I think that maybe is an internal issue of the platform but not sure. What do you think?
Thanks in advance.
Not properly validating the certificate of a SSL connection is a serious issue because this way you effectively weaken the protection offered by SSL a lot and allow easy man in the middle attacks. This way an attacker might sniff the transferred data and even modify the data.
Thus the issue should be fixed.
But with the currently shown information it is impossible to say if the error is in your (unknown) code or some (unknown) third party library or in the wrong usage of a third partly library. But a common cause for such errors is that one is trying to use a self-signed certificate and switches off validation for this purpose. Another common cause is the intention to switch off validation for development only but then inadvertently fail to enable it again for production.
You can look thru the sources of the Codename One port and see that there is no usage of that method:
https://github.com/codenameone/CodenameOne/blob/master/Ports/Android/src/com/codename1/impl/android/AndroidImplementation.java#L3768
So there is no such violation within Codename One as far as I can tell. There are thus two options I can think of:
Google is wrong - wouldn't be the first time with those guys... +
I submitted a Codename One Android app just the other day and didn't get such an error
You added a 3rd party cn1lib/extension/native code to your project which you can verify by looking under android/native or within the lib directory to see if you have anything in the former or a .cn1lib file in the latter.
I have been getting some amounts between $0.2 to $0.7 debited from my final payment from AdMob ads under the title "invalid activity" in my payment details.
Yes the amounts are small but i am still worried as i have been extra careful while testing i used the test keys and i have not told any of my friends to click on my ads or have clicked on them myself.
I did have the same issue for my web-site but that was due to some bots which i black-listed in the server access files so i am no longer getting such "invalid activity" on my blog earnings
I have built my apps in Ionic Framework.
So my question is how can i detect where the invalid activity is coming from in my app and how can i prevent it.
How can i detect where the invalid activity is coming from in my app
You can check a country wise view of requests on Google Adsense at this link. You can analyze and check where major traffic is from, where clicks are from, etc.
Fore more detailed reporting use Google Analytics for Android
How can i prevent it.
There is no fixed way of how you deal with that. You will need to take steps and write algorithms in your app based on your analysis. But, I dont think that is really required. If it is an invalid activity from a third party (NOT You) Google will take corrective actions. But, if it is by You, you are in trouble and may get the app suspended or account blocked.
google doesn't provide actual invalid activity because of security reason according to google terms& conditions
I'm making a Cordova 4.0 Android app that will be sold in Google Play, and I would like to prevent illegal use of it (for example preventing someone to extract the APK from the system and re-distributing it).
One theoretical way of doing this would be by checking that when the app is launched by the user, he did actually download it from Google Play (versus being it sideloaded). I'm not even sure if this is possible or if there's an alternate way of doing something like this.
One way that works in other cases is to use require some sort of login when accessing the app, but in this case I can't do that. Any advice would be appreciated!
Google offers a way to implement validation / licensing:
http://developer.android.com/google/play/licensing/index.html
Take a look if this is what you need!
One suggestion would be for those apps which are get connected to a server to fetch some data.
App verification token
Generate an encoded 64-bit long token and store on both device & server as well. This will be a unique token per app
Whenever app tries to connect to server, it sends the device token details. Server needs to verify it before fulfilling its request.
On specific events, server can generate a new token for a device.
Same way, device token can be mapped to a user or an app on the server side.
Token could carry some app related information, for instance.
first 4 or 6 digits represent app size
second block of digits could represent user specific or device or some other details
Or another block could hold app contents modification date
In case of any change, server could verify the app size, last app contents modification dates, etc.
Generally it is recommended to uglify, obfuscate and minimize app resources before submission.
You can use the package manager class to determine the source of an app (only google or amazon currently detected)
You can similarly use google analytics which gives same information.
This is pretty neat since Android stores the source of every package, allowing apps to know where they came from, to prevent piracy and sideloading.
Great if you always publish to google or amazon. Useless if you sideload your app.
Hello and thanks in advance for your response.
I have my licensed app uploaded to the Play Store. I can test and get expected results with all of the static test license responses (Licensed, Not Licensed, etc). So far so good.
But if my test device has no internet connection, the license check ALWAYS fails. This is not how I understand the ServerManaged policy to work. If an install is found to have been licensed sometime in the recent past, the policy is supposed to cache information in a shared prefs file and use it if there is no internet connection.
So I temporarily commented-out the obfuscation of the data in the prefs file that the license system creates. When I look at the data, I see that the retry count and other stuff is set to zero. This is not what I expect. With data like this, it is behaving for me as if I were using a Strict policy (and I am not).
I am presuming that this is an artifact of using the test response system and that "real" users will get actual data in their obfuscated shared prefs that permits them to operate in the absence of an internet connection.
So I have tried setting the server response to "Respond Normally". When I do this, I ALWAYS get a NOT LICENSED response. And I guess this makes some sense because I have not purchased the app and downloaded it.
So how can I, as the developer, experience exactly what my end-users experience? I want to be able to test how this all works without an internet connection, for example. I cannot seem to figure out how to do this? I guess I could purchase my own app but I am not sure that will even work since the test device is logged into the test account. And it makes no sense for a developer to have to purchase their own app.
Thanks for any suggestions.
I think I found a possible solution to your problem.
What I have done:
first, I created a google group for alpha/beta testers of my app (after uploading the app, of course). Then, I ivited myself in this google group and accept the invitation. After this, I inserted my gmail developer account in the list of the users for the license test and set the server response to "RESPOND_NORMALLY".
In this way, the response of the server will be always "LICENSED" for my account, and the validity time will not expire in 2 minutes. It's as I had bought the app!
The only limitation to this trick is that you have to upload your app in a beta or alpha slot of your google developer console but, after this, you can also get a "LICENSED" answer using a debug app uploaded on your device using the usual Eclipse IDE! You don't have to wait for the generation of the link to download the test app (that is very slow to generate... Up to 24 hours!).
I too have experienced this frustration. I too want to have the same experience as my customers. As soon as I set 'Respond Normally' I always see the 'NOT LICENSED' response -- which seems VERY SUBOPTIMAL. I BELIEVE what Google needs to added is a setting of **'RESPOND_NORMALLY_AND_LICENSED'**. That would do what's needed.
The heart of the difficulty: if I leave my app as 'LICENSED' that works fine when I have an internet connection, then after 2 minutes with no connection, my app stops working as licensed (since the cache is set on the Google Play Server to 2 minutes). Thus if I want to use my own app day-in and day-out, I need to produce an app with licensing disabled --- something my customers never see. That's a VERY bad idea.
We all learned a long time ago: "You must eat your own 'dog food' as a developer."
I have reported this as a 'Developer Console' Bug, but it is perhaps instead of a 'Bug,' a very strong suggestion--and it would be seemingly be simple to implement.
As a work around, I have now added code in ServerManagedPolicy.processServerResponse() to simply add two months of time the licensed time and call setValidityTimestamp(). I hope this helps someone else. Now I am content ---