Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]
Photo

Path traversal security vulnerability on Google Play
Started by impossibleapps Sep 22 2017 03:43 AM

- - - - -
32 replies to this topic

[TOPIC CONTROLS]
Page 2 of 2 1 2
This topic has been archived. This means that you cannot reply to this topic.
[/TOPIC CONTROLS]
[modOptionsDropdown]
[/modOptionsDropdown]
[reputationFilter]
[TOPIC: post.html]
#26

admin199

[GLOBAL: userInfoPane.html]
admin199
  • Observer

  • 2 posts
  • Corona SDK

Hi,

 

Apparently the issue not fixed in the Enterprise version yet (latest build is 3086):

https://developer.coronalabs.com/downloads/daily-builds

 

Can you please update the Enterprise version as well ? We have a lot of apps built with Enterprise version and we need to fix the Google Play issue.

 

Thanks!



[TOPIC: post.html]
#27

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,935 posts
  • Enterprise

There isn't an "Enterprise" any longer. It's now called "Native builds".  It's in the same download as the Corona DMG file. Install Corona like you would the simulator, go to /Applications/Corona-nnnn (where nnnn is the daily build number), and you will find a folder there named "Native". Run the "Setup Corona Native" if you're going to use new "App" based projects. Run "Setup Corona Enterprise" so your older Enterprise based App projects will run.  But you will be on a new version of Corona when you do.

 

Rob



[TOPIC: post.html]
#28

jeff15

[GLOBAL: userInfoPane.html]
jeff15
  • Contributor

  • 106 posts
  • Corona SDK

Hi @Rob,

 

I have updated my apps with the 3156 but I can still see the warning. Any suggestion about? How could I solve it?

Thanks a mil

 

g

 

Not sure if this is your issue, but I updated two apps and one immediately did not show the warning but the other still did after a day or two. But, then the warning disappeared. So, perhaps there is a delay in how Google is checking this. Might be worth waiting another day or two. 



[TOPIC: post.html]
#29

bubblebobble

[GLOBAL: userInfoPane.html]
bubblebobble
  • Contributor

  • 309 posts
  • Corona SDK

If you hover over the app in the developer console it will state which version apk has the issue.

I have updated mine, and there is a delay as expected, just takes time for the issue to propagate through.

You could also try releasing it as an alpha or beta build and run the security check there :)



[TOPIC: post.html]
#30

vlads

[GLOBAL: userInfoPane.html]
vlads
  • Contributor

  • 805 posts
  • Corona Staff

It took about 2 days for my test app for issue to go away. Also, if any of your live binaries have the issue, it would show exclamation mark in console.

To check if issue is gone, I recommend going to Release management -> Pre-launch report -> SECURITY.

You may have to activate Pre-launch reports and submit another build to check it out...



[TOPIC: post.html]
#31

gsp

[GLOBAL: userInfoPane.html]
gsp
  • Observer

  • 13 posts
  • Corona SDK

I just updated with 3167 and google show me the warnig too!!!

 

Security alert
Your app is using a content provider with an unsecured openFile implementation. See this article in the Google Help Center for details.
Vulnerable classes:
com.ansca.corona.storage.FileContentProvider
Fix the problem before this date: 01/15/2018
It affects version 222 of the APK.

 

I use this plugins:

 

plugins =
{
 
        ["CoronaProvider.ads.iads"] =
        {
            publisherId = "com.coronalabs",
            supportedPlatforms = { iphone=true, ["iphone-sim"]=true },
        },
 
        ["CoronaProvider.ads.vungle"] =
        {
            publisherId = "com.vungle",
        },
 
        ["plugin.fbAudienceNetwork"] =
        {
            publisherId = "com.coronalabs",
            supportedPlatforms = { iphone=true, android=true }
        },                   
 
 
        ["CoronaProvider.native.popup.social"] =
        {
            publisherId = "com.coronalabs"
        },
 
 
        ["plugin.facebook.v4a"] =
        {
            publisherId = "com.coronalabs"
        },
 
 
        ["plugin.google.play.services"] =
        {
            publisherId = "com.coronalabs",
            supportedPlatforms = { android=true }
        },   
 
   
        ["CoronaProvider.gameNetwork.google"] =
        {
            publisherId = "com.coronalabs",
            supportedPlatforms = { android = true }
        },
 
 
 
        ["plugin.google.iap.v3"] =
        {
            publisherId = "com.coronalabs",
            supportedPlatforms = { android = true }
        },
 
 
},


[TOPIC: post.html]
#32

gsp

[GLOBAL: userInfoPane.html]
gsp
  • Observer

  • 13 posts
  • Corona SDK

To check if issue is gone, I recommend going to Release management -> Pre-launch report -> SECURITY.

 

THANKS ... now it's ok!!!



[TOPIC: post.html]
#33

jhoudoris

[GLOBAL: userInfoPane.html]
jhoudoris
  • Observer

  • 9 posts
  • Corona SDK

Download the last version of corona, rebuild and publish a new version.

 

This fix for me.

 

Using Corona-3195.

 

 

Screen_Shot_2018_01_10_at_10_59_56.png

 

 

Screen_Shot_2018_01_10_at_11_06_12.png

 

Screen_Shot_2018_01_11_at_10_45_05.png




[topic_controls]
Page 2 of 2 1 2
 
[/topic_controls]