Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]
Photo

Path traversal security vulnerability on Google Play
Started by impossibleapps Sep 22 2017 03:43 AM

- - - - -
32 replies to this topic

Best Answer mysticeti , 22 September 2017 - 10:30 PM

You can check whether the issue has been fixed by going through the pre-launch report in the Dashboard. 

 

.

 

In the attachment you can see that app version 129, which was built with Corona Build 3145, has been cleared ok. 
 

[TOPIC CONTROLS]
Page 1 of 2 1 2
This topic has been archived. This means that you cannot reply to this topic.
[/TOPIC CONTROLS]
[modOptionsDropdown]
[/modOptionsDropdown]
[reputationFilter]
[TOPIC: post.html]
#1

impossibleapps

[GLOBAL: userInfoPane.html]
impossibleapps
  • Enthusiast

  • 69 posts
  • Corona SDK

Hi!

 

I received an email from Google where they say that one of my apps has this path traversal security vulnerability. The problem is related with exposing content providers to other apps. As I don't have any content provider in my game, I assume Corona, or one of its plugins, may be doing that. Could you confirm this info and what I should do to solve this problem?

 

Thanks!

 

Br,

Cleverson

 



[TOPIC: post.html]
#2

runewinse

[GLOBAL: userInfoPane.html]
runewinse
  • Contributor

  • 505 posts
  • Corona SDK

Same thing happens to me. All my corona apps on Google Play are getting a warning!



[TOPIC: post.html]
#3

carloscosta

[GLOBAL: userInfoPane.html]
carloscosta
  • Contributor

  • 671 posts
  • Corona SDK

yeap, same here. i believe is related to website links we have on the apps. not from plugins. at least on my case i suspect that.



[TOPIC: post.html]
#4

davida6

[GLOBAL: userInfoPane.html]
davida6
  • Contributor

  • 129 posts
  • Corona SDK

Trying to narrow down whether this is a "generic" io.open issue or in one of the plugins. (like zip)

Also, would adding exported=false to the android table in build.settings get added to the manifest?



[TOPIC: post.html]
#5

michael714

[GLOBAL: userInfoPane.html]
michael714
  • Contributor

  • 170 posts
  • Corona SDK

Same problem here.  Please help, Corona!



[TOPIC: post.html]
#6

latyl1

[GLOBAL: userInfoPane.html]
latyl1
  • Enthusiast

  • 88 posts
  • Corona SDK

The same for me :(



[TOPIC: post.html]
#7

vlads

[GLOBAL: userInfoPane.html]
vlads
  • Contributor

  • 979 posts
  • Corona Staff

Hey!

We are aware of this issue and trying to solve & test it right now. I will post updates.



[TOPIC: post.html]
#8

jeff15

[GLOBAL: userInfoPane.html]
jeff15
  • Contributor

  • 106 posts
  • Corona SDK

Thanks vlads, I also have received a warning from Google.

Cheers,
Jeff



[TOPIC: post.html]
#9

vlads

[GLOBAL: userInfoPane.html]
vlads
  • Contributor

  • 979 posts
  • Corona Staff

Hello everyone! Daily build 3145 was just published. Only change is closing mentioned vulnerability. Thank you for your patience.

 

Testing this issue was extremely hard, since Google Play seemingly doesn't provide any indication that it was fixed. If you have any questions feel free to ask.

 

Thanks!



[TOPIC: post.html]
#10

jeff15

[GLOBAL: userInfoPane.html]
jeff15
  • Contributor

  • 106 posts
  • Corona SDK

Thanks! I'll be doing an update submission in a day or two and I'll let you know if I hear/see anything regarding this issue. 



[TOPIC: post.html]
#11

davida6

[GLOBAL: userInfoPane.html]
davida6
  • Contributor

  • 129 posts
  • Corona SDK

@vlads,

 

any chance we can get info on what the underlying issue was?  and the fix?  Might help with some native mode issues.

 

thanks

 

Dave



[TOPIC: post.html]
#12

dislam

[GLOBAL: userInfoPane.html]
dislam
  • Contributor

  • 200 posts
  • Corona SDK

Has anyone tried uploading an APK with a Corona build older than 3145, to see if it gets a path traversal warning/rejection?  Just trying to see if there is any way to know whether the fixed build is accepted by Google.



[TOPIC: post.html]
#13

jeff15

[GLOBAL: userInfoPane.html]
jeff15
  • Contributor

  • 106 posts
  • Corona SDK

@dislam, problem is the email says "Starting January 16th, 2018, Google Play will block publishing of any new apps or updates that contain this path traversal vulnerability." so they may not say anything until January, even if the issue is still present in an older build. Makes it tough to know for sure!



[TOPIC: post.html]
#14

mysticeti

[GLOBAL: userInfoPane.html]
mysticeti
  • Contributor

  • 143 posts
  • Corona SDK

  Best Answer

You can check whether the issue has been fixed by going through the pre-launch report in the Dashboard. 

 

Screenshot (3).png .

 

In the attachment you can see that app version 129, which was built with Corona Build 3145, has been cleared ok. 
 



[TOPIC: post.html]
#15

bubblebobble

[GLOBAL: userInfoPane.html]
bubblebobble
  • Contributor

  • 309 posts
  • Corona SDK

I would also like to know what used this too happen. I have over ten apps marked that were built a good while ago on an old build. My issue is that some of the apis have been updated and it would take many days to update them to the latest build. So Iam thinking if the cause can be resolved by removing something or adding something to build settings or manifest it would greatly help. An explanation of the cause and how it was rectified again would be most helpful.

[TOPIC: post.html]
#16

dislam

[GLOBAL: userInfoPane.html]
dislam
  • Contributor

  • 200 posts
  • Corona SDK

You can check whether the issue has been fixed by going through the pre-launch report in the Dashboard. 
 
attachicon.gif Screenshot (3).png .
 
In the attachment you can see that app version 129, which was built with Corona Build 3145, has been cleared ok.


Great, thank you. This wasn’t enabled for any of my apps. Looks like I have to select the “Opt In” to enable it for future builds.

[TOPIC: post.html]
#17

vlads

[GLOBAL: userInfoPane.html]
vlads
  • Contributor

  • 979 posts
  • Corona Staff

I would also like to know what used this too happen. I have over ten apps marked that were built a good while ago on an old build. My issue is that some of the apis have been updated and it would take many days to update them to the latest build. So Iam thinking if the cause can be resolved by removing something or adding something to build settings or manifest it would greatly help. An explanation of the cause and how it was rectified again would be most helpful.

 

It is always worth updating your apps. Corona makes it extremely easy. If you are using some old framework, you can always download it and still use it, even if it is not in the Core distribution anymore. Just drop it to root folder of sources and you're good, for example, here is storyboard.lua. If you need to migrate really old Google IAP plugin or something, we have easy to follow guides on how to do that.

 

Updating your apps would make them look better on newer Android phones, and generally helps Google Play Store placement.

 

But if you can not rebuild app, I made not-so-simple instructions on how you can actually manually edit manifest to "fix" this vulnerability. Make sure to test your app after making this changes:

 

In nutshell, I use apktool to decompile apk, then edit it's manifest, then recompile and re-sign it.

https://gist.github.com/Shchvova/41628494a2db1dcee611535f8d185b48

 

Again: do not do that unless you absolutely must to.



[TOPIC: post.html]
#18

Krivvenz

[GLOBAL: userInfoPane.html]
Krivvenz
  • Enthusiast

  • 44 posts
  • Corona SDK

It is always worth updating your apps. Corona makes it extremely easy. If you are using some old framework, you can always download it and still use it, even if it is not in the Core distribution anymore. Just drop it to root folder of sources and you're good, for example, here is storyboard.lua. If you need to migrate really old Google IAP plugin or something, we have easy to follow guides on how to do that.

 

Updating your apps would make them look better on newer Android phones, and generally helps Google Play Store placement.

 

But if you can not rebuild app, I made not-so-simple instructions on how you can actually manually edit manifest to "fix" this vulnerability. Make sure to test your app after making this changes:

 

In nutshell, I use apktool to decompile apk, then edit it's manifest, then recompile and re-sign it.

https://gist.github.com/Shchvova/41628494a2db1dcee611535f8d185b48

 

Again: do not do that unless you absolutely must to.

If you use the apktool to manually edit the manifest, do you have to do this everytime you do a build or is the manifest somewhere in my app resources and once you change it once it's changed forever?



[TOPIC: post.html]
#19

vlads

[GLOBAL: userInfoPane.html]
vlads
  • Contributor

  • 979 posts
  • Corona Staff

If you plan to build your app and then use APK took, you should seriously consider building with 3145, where this is just fixed.



[TOPIC: post.html]
#20

bubblebobble

[GLOBAL: userInfoPane.html]
bubblebobble
  • Contributor

  • 309 posts
  • Corona SDK

@Vlads,

thanks for this, successfully updated 4 apps this way as I really wouldve had to make some serious changes.

Moved up to 3145 now for the rest.

Thanks for a nicely detailed response :)



[TOPIC: post.html]
#21

vlads

[GLOBAL: userInfoPane.html]
vlads
  • Contributor

  • 979 posts
  • Corona Staff

Welcome! Thank you for using Corona.

 

Again. My APK hacking is just, exclusively so you can re-submit your existing apps you absolutely 100% can not update. So you may download APK, hack it and resubmit. This is not for building APK with older build and submitting it again.



[TOPIC: post.html]
#22

pbozzone0

[GLOBAL: userInfoPane.html]
pbozzone0
  • Observer

  • 27 posts
  • Corona SDK

Hi, I have compiled my apk with version 2017.3135 and two days ago I upload the new apk in the console of Google Play and continues to report that the vulnerability problem persists.

What can happen?



[TOPIC: post.html]
#23

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 26,408 posts
  • Enterprise

We should have this addressed in daily build 3145 or later.

 

Rob



[TOPIC: post.html]
#24

JBean

[GLOBAL: userInfoPane.html]
JBean
  • Contributor

  • 175 posts
  • Corona SDK

We have been able to update our apps successfully, but we have quite a few to update.

 

Does this appear to be a mandatory thing that google wants updated by a specific date? 

 

From what we gathered in the email, it seems like it's not mandatory, but if we were to push any updates after January (or whatever date was mentioned), that we would have to fix the issue. 



[TOPIC: post.html]
#25

giacinto.attanasio

[GLOBAL: userInfoPane.html]
giacinto.attanasio
  • Observer

  • 1 posts
  • Corona SDK

Hi @Rob,

 

I have updated my apps with the 3156 but I can still see the warning. Any suggestion about? How could I solve it?

Thanks a mil

 

g




[topic_controls]
Page 1 of 2 1 2
 
[/topic_controls]