Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]
Photo

[RESOLVED] VERY disturbing! Hidden network traffic by Corona SDK breaks Jellybean.
Started by gtt Jul 22 2012 02:44 AM

- - - - -
37 replies to this topic
[TOPIC CONTROLS]
Page 1 of 2 1 2
This topic has been archived. This means that you cannot reply to this topic.
[/TOPIC CONTROLS]
[modOptionsDropdown]
[/modOptionsDropdown]
[reputationFilter]
[TOPIC: post.html]
#1

gtt

[GLOBAL: userInfoPane.html]
gtt
  • Contributor

  • 164 posts
  • Corona SDK

I've posted a few days ago that we received emails from clients with Jellybean installed about app crashes.

The "good" news are we have managed to find the problem.
The BAD news are, we have no way of solving it.

In general anyone that uses apktool/multitool to change the manifest xml file to remove unused permissions will find that their application crashes sporadically when running on Android 4.1.

The reason is a change in the behavior of the OS when an unauthorized request is made. In our case we are targeting toddlers and children and we had to remove all the permissions that were considers as a privacy concern to our clients. Meaning no identity/location/network access what so ever.

We did of course disable the dashboard (with
launchPad = false
in the config.lua) and then we unpacked our APK and packed it back without all the permissions.
We are not using any extended library like OF, Flurry or even IAP! we are just using the plain graphics library (display.*, etc) we expect ZERO network traffic.

On any Android version before 4.1 we had no issues. But on 4.1 we get a lot of exceptions sent to our developer console. They all share the same stack trace:
java.lang.SecurityException: Permission denied (missing INTERNET permission?)
at java.net.InetAddress.lookupHostByName(InetAddress.java:418)
at java.net.InetAddress.getAllByNameImpl(InetAddress.java:236)
at java.net.InetAddress.getAllByName(InetAddress.java:214)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:137)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at com.loopj.android.http.AsyncHttpRequest.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1076)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:569)
at java.lang.Thread.run(Thread.java:856)
Caused by: libcore.io.GaiException: getaddrinfo failed: EAI_NODATA (No address associated with hostname)
at libcore.io.Posix.getaddrinfo(Native Method)
at libcore.io.ForwardingOs.getaddrinfo(ForwardingOs.java:55)
at java.net.InetAddress.lookupHostByName(InetAddress.java:405)
... 12 more
Caused by: libcore.io.ErrnoException: getaddrinfo failed: EACCES (Permission denied) 

Our conclusion is that versions prior to 4.1 just silently ignored unauthorized internet access while Jellybean throws a hard exception that crashes Corona SDK.
I have NO idea why such traffic is generated! When our clients complained Corona has "spyware" (they found out we are using Corona from the Corona badge on our site) in it we removed all these permissions and replied to them defending Corona and ourselves and they all were happy with the result. Now how can we explain adding back intrusive permissions? :(

Our only solution to this would be to enable the INTERNET permission but we are going to receive a lot of bad client feedback for such a move. Sadly, I don't think we have a choice with the fast deployment of 4.1.

So, Corona PLEASE support us :(
I'm sure this issue is going to affect a LOT of other customers as well (I've learned how to do it on this forum...). If you can on your side "try" and "catch" these exceptions at the java level it should solve this I think.
uid: 80469 topic_id: 28907 reply_id: 328907


[TOPIC: post.html]
#2

mike470

[GLOBAL: userInfoPane.html]
mike470
  • Contributor

  • 327 posts
  • Corona SDK

Why in the world does Corona send anything not authorized by the developer over the net? Need some explanation here from the staff, please.
uid: 160496 topic_id: 28907 reply_id: 116418


[TOPIC: post.html]
#3

gtatarkin

[GLOBAL: userInfoPane.html]
gtatarkin
  • Contributor

  • 366 posts
  • Corona SDK

+10000000 Hello Corona stuff?!
uid: 12704 topic_id: 28907 reply_id: 116475


[TOPIC: post.html]
#4

digitaloranges

[GLOBAL: userInfoPane.html]
digitaloranges
  • Enthusiast

  • 47 posts
  • Corona SDK

Surely it's something to do with the analytics service they provide?
uid: 87794 topic_id: 28907 reply_id: 116476


[TOPIC: post.html]
#5

borgb

[GLOBAL: userInfoPane.html]
borgb
  • Contributor

  • 291 posts
  • Corona SDK

my guess is that its the dashboard analytics thing. Dont think you can turn that of as far as I know. Hopefully someone from Corona can explain it.
uid: 17969 topic_id: 28907 reply_id: 116477


[TOPIC: post.html]
#6

mike470

[GLOBAL: userInfoPane.html]
mike470
  • Contributor

  • 327 posts
  • Corona SDK

If the analytics is a "service", then the developer should be able to turn it off. Unless it's a service for Corona, and not for the developer. Which would be fine, if Corona was a freebee - you expect this kind of thing of freebees. Not of something you pay for.

Look, there are a LOT of paranoiacs out there who are spurred on by all kinds of articles about the nefarious net companies gathering data on them. You and I (well, I and maybe you) know that the data gathered is always aggregate, not personalized, and there are maybe a handful of programs out there that are spyware that act and serve as legit apps, but the CUSTOMERS do not know this. The media has been buzzing into their ears about spyware, and if they see an educational game app that says it needs access to the phone contacts when it installs, that is what they will see it as - spyware. Even worse - spyware that wants to spy on their kid. Which leads to complaints, one-star ratings, and demands for refunds.

Seriously Corona - are you guys this clueless about this? I have been a client-side application developer (in financial markets, not iOS apps, but still) for decades, and any HINT that there is some kind of side-communication going on in your program will decimate your user base. And *especially* with the review system in place like there is for apps where just a few of your users have to put the dreaded s-word ("spyware") in the review, and it will scare off 90% of potential buyers of the app.
uid: 160496 topic_id: 28907 reply_id: 116479


[TOPIC: post.html]
#7

gtt

[GLOBAL: userInfoPane.html]
gtt
  • Contributor

  • 164 posts
  • Corona SDK

@mike470, you're spot on!
This is exactly what happened to us. We got featured on Amazon and got 150,000 downloads in one day just to receive tens of reviews by paranoid users that thought we are collecting data on them. This killed our rating and download stats for a few days.. After we removed the permissions it silenced these voices.

But now we are afraid to get into the same situation again and worse! (some users replied to us that they still don't believe us and that they think we'll add these permissions again in the future..)
uid: 80469 topic_id: 28907 reply_id: 116480


[TOPIC: post.html]
#8

gtatarkin

[GLOBAL: userInfoPane.html]
gtatarkin
  • Contributor

  • 366 posts
  • Corona SDK

@borgb - "my guess is that its the dashboard analytics thing"

Yeah but it use phone and internet permission so lots of users just don't download your app because of this settings. Personally I don't need analytics.
uid: 12704 topic_id: 28907 reply_id: 116481


[TOPIC: post.html]
#9

jfb

[GLOBAL: userInfoPane.html]
jfb
  • Enthusiast

  • 46 posts
  • Corona SDK

@gury

Are you saying that

launchPad = false


does nothing?

What about androidPermissions as in

settings ={:            androidPermissions =        {                "android.permission.ACCESS_FINE_LOCATION",                "android.permission.INTERNET"        },}


Does this not affect permissions?
uid: 84768 topic_id: 28907 reply_id: 116502


[TOPIC: post.html]
#10

gtt

[GLOBAL: userInfoPane.html]
gtt
  • Contributor

  • 164 posts
  • Corona SDK

hey @jfb,

The only thing I know launchPad=false does is to remove my app from the site's launchpad. as for network traffic, I was sure it will be removed but now I think at least some traffic is still there, I cant tell what is really being sent.

Not really sure what you meant by the rest of your comment, adding the androidPermissions clause will add them to your androidmanifest.xml
what we were trying to do is remove them...
(As a matter of fact, as far as I know, Corona defaults to have the INTERNET permission on even if you dont add that in your androidPermissions clause..)

Just to make everything clear. no network is being done in our case cause we removed the permissions. but network traffic is trying to happen!! and we only found out about this because in 4.1 when this scenario happens you get a hard exception which crashes Corona SDK.

I hope this helps.
I will also be super happy to admit I was wrong if someone explains to me where...

Gury
uid: 80469 topic_id: 28907 reply_id: 116506


[TOPIC: post.html]
#11

jfb

[GLOBAL: userInfoPane.html]
jfb
  • Enthusiast

  • 46 posts
  • Corona SDK

I was thinking
androidPermissions=nil
but I guess that would be too simple!
uid: 84768 topic_id: 28907 reply_id: 116517


[TOPIC: post.html]
#12

rdytmire

[GLOBAL: userInfoPane.html]
rdytmire
  • Observer

  • 13 posts
  • Corona SDK

I'd like to hear from Corona's reps on this. I have a (4 billion + / year) client I am trying to sell on this API but ANY whiff of network traffic is a total non-starter for them.

Guys, unaccounted for network traffic AUTOMATICALLY fails a security audit. No retailers could use your device as it would fail PCI compliance.

We need an answer / explanation on this one.

Best practice would be NO unauthorized traffic at any time unless explicitly allowed by the developer.
uid: 141438 topic_id: 28907 reply_id: 116532


[TOPIC: post.html]
#13

Omnigeek Media

[GLOBAL: userInfoPane.html]
Omnigeek Media
  • Corona Geek

  • 2,975 posts
  • Corona SDK

Have you filed a bug report with Corona Labs? Posting to a forum is no guarantee of getting their attention.
uid: 19626 topic_id: 28907 reply_id: 116536


[TOPIC: post.html]
#14

gtt

[GLOBAL: userInfoPane.html]
gtt
  • Contributor

  • 164 posts
  • Corona SDK

As far as I can tell this is not a bug but a desired behavior Corona intended for. I just want to change it or have an option to do it like many other users.
uid: 80469 topic_id: 28907 reply_id: 116537


[TOPIC: post.html]
#15

rdytmire

[GLOBAL: userInfoPane.html]
rdytmire
  • Observer

  • 13 posts
  • Corona SDK

Sigh... The report a bug function REQUIRES me to submit code to reproduce a bug.

Since I'm just asking for follow up there seems no way to get their attention.

I'll assume we'll see more issues like this as Corona attempts to sell to Enterprise level accounts. The two types of developers are VERY different and Enterprise is very careful who / when they release any proprietary code into the wild.
uid: 141438 topic_id: 28907 reply_id: 116539


[TOPIC: post.html]
#16

jfb

[GLOBAL: userInfoPane.html]
jfb
  • Enthusiast

  • 46 posts
  • Corona SDK

Have you tried this?

http://www.ludicroussoftware.com/blog/2012/05/08/remove-unused-libraries-from-corona-apps/

(in principle one could edit the .smali files to remove web traffic)
uid: 84768 topic_id: 28907 reply_id: 116546


[TOPIC: post.html]
#17

jfb

[GLOBAL: userInfoPane.html]
jfb
  • Enthusiast

  • 46 posts
  • Corona SDK

@ rdytmire

I think if
launchPad = false
does not switch of analytics then this IS a bug!
uid: 84768 topic_id: 28907 reply_id: 116552


[TOPIC: post.html]
#18

Omnigeek Media

[GLOBAL: userInfoPane.html]
Omnigeek Media
  • Corona Geek

  • 2,975 posts
  • Corona SDK

Since you know what causes the problem, you should be able to write a small app that demonstrates it. You don't need to submit your entire app.
uid: 19626 topic_id: 28907 reply_id: 116562


[TOPIC: post.html]
#19

gtt

[GLOBAL: userInfoPane.html]
gtt
  • Contributor

  • 164 posts
  • Corona SDK

I don't see the point in filing a bug. No one said the traffic is generated by analytics.

The only thing I know is that there is traffic when I'm not expecting it. Analytics is one option that was mentioned here but got no confirmation from any official source.

I also do not think it's any kind of regression, I think it always worked this way and was only caught because of an OS behavior change + us unpacking the APK with an external tool.

This thread was forwarded to the right people by Peach so I will just wait for the official response..

Regardless, I cannot reproduce this myself because I don't have a Jellybean device.
uid: 80469 topic_id: 28907 reply_id: 116565


[TOPIC: post.html]
#20

walter

[GLOBAL: userInfoPane.html]
walter
  • Moderator

  • 726 posts
  • Alumni

Looking into this, as what you are saying doesn't makes sense. The launchpad setting in config.lua should override unless you are using a service from one of our launchpad partners, e.g. inneractive.

Just so you know we take privacy very seriously. We even had our lawyers draft up a privacy policy designed for you to use as an app developer (this is distinct from the privacy policy that all web sites post) so you can give something to end users.

When we last looked, this is something no one other app platform is doing:

http://www.coronalabs.com/privacy-policy/privacy-policy-for-app-users/
uid: 26 topic_id: 28907 reply_id: 116582


[TOPIC: post.html]
#21

rdytmire

[GLOBAL: userInfoPane.html]
rdytmire
  • Observer

  • 13 posts
  • Corona SDK

Thanks for the reply Walter. Although is seems kind of cryptic. What part does not make any sense? They obviously have captured HTTP traffic outbound from the device that the developer did not send. There is no question of this.

I've read your privacy statement and I have some questions:

Your privacy statement explicitly says that Corona Labs IS collecting data about usage.

Are you stating that CoronaLabs API data gathering can be completely shut down? What if we want to access HTTPS on our own back end but we want to be 100% sure no other data is sent anywhere else.

Your end-user security statement if for app-users. Not enterprise customers. Enterprise customers have large I.T. departments that are going to pick up this traffic and raise all kinds of red flags. You'll have a tough time deploying to any kind of P.O.S (Point of sale), financial, or .gov services with an "Always on" data collector. No matter how "passive" it is.

Imagine trying to tell Starbucks that you'll be collecting data on their app's usage...do you think that will fly? Not in a million years. That's marketing data about their customers you're harvesting (even in aggregate) and that's a big no-no.

So the bottom line, if a developer wants your API to do NO communicating outside of something they explicitly write is this possible?

To re-phrase: If I open HTTP access on my app is there a way to prevent Corona API from transmitting ANY data I do not explicitly tell it to?

uid: 141438 topic_id: 28907 reply_id: 116586


[TOPIC: post.html]
#22

walter

[GLOBAL: userInfoPane.html]
walter
  • Moderator

  • 726 posts
  • Alumni

@rdtymire, http calls you make explicitly are your own. We would never imagine logging any of that.

The code is structured to do analytics data collection only when launchpad is on. As I mentioned, you can turn it off via a config.lua setting, as long as you don't use a 3rd party launchpad service.

What doesn't make sense is it'd still be happening when launchpad is turned off, which seems to be the claim by @gury.traub --- that's what we're looking into.
uid: 26 topic_id: 28907 reply_id: 116594


[TOPIC: post.html]
#23

gtt

[GLOBAL: userInfoPane.html]
gtt
  • Contributor

  • 164 posts
  • Corona SDK

Thanks Walter for looking into it,
Let me know if I can provide anything else to help your investigation.

No sure it's important to you but two examples of games we have which exhibit the problem are called "What's Different" and "Mix And Match". To be sure analytics is off I checked the app is not appearing in the dashboard on your site.
I can also assure you we are not using any 3rd party tool that would activate the dashboard.

If you really run into a dead end I'm even willing to send you the source code of one of them (as long as you keep it to yourself :) )

Let me know,

Thanks again!

PS, everyone is mentioning launchPad as the source of this traffic and surely I have no clue how your code is arranged, but just to clarify I have no way of knowing what the source is. As far as I know it might just be some isolated http request in Corona SDK's code which has no connection to analytics.
uid: 80469 topic_id: 28907 reply_id: 116599


[TOPIC: post.html]
#24

walter

[GLOBAL: userInfoPane.html]
walter
  • Moderator

  • 726 posts
  • Alumni

UPDATE: Good news is that launchpad behaves as expected --- no network traffic when you opt out.

@gury.traub, I was not able to reproduce the issue on the Nexus7 running 4.1.

I took the HelloWorld project, added the launchPad=false, removed the permissions (android.permission.INTERNET, android.permission.ACCESS_NETWORK_STATE, android.permission.READ_PHONE_STATE) and there was no issue, no crash. I also tried locking the screen and resuming the app without a problem.

I have to assume there are some network calls in your project that are the culprit.
uid: 26 topic_id: 28907 reply_id: 116616


[TOPIC: post.html]
#25

gtt

[GLOBAL: userInfoPane.html]
gtt
  • Contributor

  • 164 posts
  • Corona SDK

I'll recheck all our games
uid: 80469 topic_id: 28907 reply_id: 116647



[topic_controls]
Page 1 of 2 1 2
 
[/topic_controls]