To participate, please log in to your Andromo App Maker account then come back here!

Google Play warning: Mobilecore problem

edited February 2016 in General Discussion
I thought someone would have posted about it already but seems no.
All apps with Mobilecore are receiving a warning in GP console. Eventually, the developer also receives an email, which is the following:


Hello Google Play Developer,

Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”

Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.

To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.

While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

Regards,

The Google Play Team

©2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.

Affected app(s), version(s), and class(es):

xxx.andromo.devxxxxx.appxxxxx
6
com.ironsource.mobilcore.G$1;

Comments

  • What version of Andromo was that app built with? You can check on the About dialog...
  • Hi,

    We've seen similar reports of this nature in the last couple days and in each of those cases rebuilding the app using the current version of Andromo and updating it in Google Play resolves the issue. So you should update each of the apps the notification lists.

    Darryl
  • Are you sure about it? This is not an Andromo issue only, people all over forums are trying to find out what it means.
    Check here for example http://forums.makingmoneywithandroid.com/advertising-networks/31326-google-play-security-alert.html

    mC even announced they are working on a new SDK that will fix the problem.
    All my apps with mC got this, even app I submitted 2 days ago.
    I think this is no temporary glitch or something.
  • Well, there were two scenarios that popped up recently, one referencing MobileCore and another that referenced code that's no longer used in Andromo (stuff from a few years ago). One user's particular notifications didn't appear to be flagging all of the their apps using MobileCore, and didn't for the ones built with the current version of Andromo. This lead us to believe that the error was being caused by either just older SDKs or a combination of platform SDK version. From what we were told, upon submitting an update to those apps, the notification disappeared. However perhaps the notification will reappear at some point?

    However if you're stating that this isn't the case, please submit a support ticket so we can look deeper into your particular case. Please include a list of the apps you're getting this error on in your submission.

    Darryl
  • Ok Darryl, will do, thanks.
  • Just to update everyone...

    We messaged the other user that was mentioned in my previous comment, and apparently there was a misunderstanding. He actually removed MobileCore in his updates, and didn't just publish an update.

    Based on what you've stated, the issue does occur on apps built with the current version of Andromo. If MobileCore is listed in the details, then that's the cause.

    Andromo currently uses version 1.1 of their SDK, however from what I've read, it appears to be the case with 2.0 as well. So based on everything that I've been able to find thus far, the only thing we can do is wait for an SDK update from MobileCore. As they've stated, the deadline for that is in May.

    So at this point the only two options are to wait for a little while, or to temporarily remove MobileCore and publish an update to those apps.

    We'll continue to keep an eye on this issue as any new information develops. If anyone comes across any new information though that wasn't previously mentioned, please let us know.

    Darryl
  • edited February 2016
    Yes, we should be expecting a new SDK from MC to fix this thing. I just wanted to mention it here and at support so you guys can implement it as soon as possible the moment it is out and tested.
    Many of us got huge portfolio of apps to be updated.

    It is always so annoying to see you guys working hard on major updates and s**t like this happening delaying your work and ours, too...

    Thanks!
  • Just wanted to say that the Mobilecore SDK has been fixed and updated in their site, as per my AM message and from what other people say at forums.
    Now, when Andromo updates it we can go on and update apps if we feel like it. The deadline is still a little far and there are no immediate actions on apps affected, but still better to update them anyway.
  • Hi guys,

    Have you worked on the mC sdk update? Or you are waiting to manage to include some other changes too?
    Need to decide if I will wait for mC for new apps or I will just submit with other networks.
    Thanks
  • Currently I'm tied up with another task which I hope to be completed in about 2 weeks. The current plan is to update MobileCore at that point, and perhaps a small number of other updates, not sure yet. So I would estimate it being around 3 weeks away if things go to plan.

    Darryl
  • Oh
    But this goes way past the 1month of timeframe we got. Even if they wont take immediate actions, this seems to drag a bit and who knows what happens?

    I hope you can make it faster. If not, we will have to deal with whatever we get.
  • edited March 2016
    Could you explain further what you mean when you say the "1 month of timeframe we got"? Based on the email you posted initially, it says:

    "Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager."

    So if you wanted to publish a new version of your app within the next 3 weeks, you'd probably want to disable MobileCore, otherwise, based on what they said, it would give you a month and a half after our update to update your apps.
  • @darryl

    You are right. Seems I was confused with some other GP warning I read about.
    Really sorry. Then we got plenty of time indeed.
    Thanks
  • FYI - The updated MobileCore SDK has been integrated into Andromo 4.6.
Sign In or Register to comment.