Google Play warning: Mobilecore problem
I thought someone would have posted about it already but seems no.
All apps with Mobilecore are receiving a warning in GP console. Eventually, the developer also receives an email, which is the following:
Hello Google Play Developer,
Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.
To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”
Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.
To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.
While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.
Regards,
The Google Play Team
©2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.
Affected app(s), version(s), and class(es):
xxx.andromo.devxxxxx.appxxxxx
6
com.ironsource.mobilcore.G$1;
All apps with Mobilecore are receiving a warning in GP console. Eventually, the developer also receives an email, which is the following:
Hello Google Play Developer,
Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.
To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”
Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.
To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.
While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.
Regards,
The Google Play Team
©2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.
Affected app(s), version(s), and class(es):
xxx.andromo.devxxxxx.appxxxxx
6
com.ironsource.mobilcore.G$1;
Comments
We've seen similar reports of this nature in the last couple days and in each of those cases rebuilding the app using the current version of Andromo and updating it in Google Play resolves the issue. So you should update each of the apps the notification lists.
Darryl
Check here for example http://forums.makingmoneywithandroid.com/advertising-networks/31326-google-play-security-alert.html
mC even announced they are working on a new SDK that will fix the problem.
All my apps with mC got this, even app I submitted 2 days ago.
I think this is no temporary glitch or something.
However if you're stating that this isn't the case, please submit a support ticket so we can look deeper into your particular case. Please include a list of the apps you're getting this error on in your submission.
Darryl
We messaged the other user that was mentioned in my previous comment, and apparently there was a misunderstanding. He actually removed MobileCore in his updates, and didn't just publish an update.
Based on what you've stated, the issue does occur on apps built with the current version of Andromo. If MobileCore is listed in the details, then that's the cause.
Andromo currently uses version 1.1 of their SDK, however from what I've read, it appears to be the case with 2.0 as well. So based on everything that I've been able to find thus far, the only thing we can do is wait for an SDK update from MobileCore. As they've stated, the deadline for that is in May.
So at this point the only two options are to wait for a little while, or to temporarily remove MobileCore and publish an update to those apps.
We'll continue to keep an eye on this issue as any new information develops. If anyone comes across any new information though that wasn't previously mentioned, please let us know.
Darryl
Many of us got huge portfolio of apps to be updated.
It is always so annoying to see you guys working hard on major updates and s**t like this happening delaying your work and ours, too...
Thanks!
Now, when Andromo updates it we can go on and update apps if we feel like it. The deadline is still a little far and there are no immediate actions on apps affected, but still better to update them anyway.
Have you worked on the mC sdk update? Or you are waiting to manage to include some other changes too?
Need to decide if I will wait for mC for new apps or I will just submit with other networks.
Thanks
Darryl
But this goes way past the 1month of timeframe we got. Even if they wont take immediate actions, this seems to drag a bit and who knows what happens?
I hope you can make it faster. If not, we will have to deal with whatever we get.
"Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager."
So if you wanted to publish a new version of your app within the next 3 weeks, you'd probably want to disable MobileCore, otherwise, based on what they said, it would give you a month and a half after our update to update your apps.
You are right. Seems I was confused with some other GP warning I read about.
Really sorry. Then we got plenty of time indeed.
Thanks