MoPub Security Vulnerability

Gamenology Media

New Member
Security alert

Your app is using a version of MoPub containing a security vulnerability. Please see this Google Help Centre articlefor details, including the deadline for fixing the vulnerability.

This information is intended for developers of apps that utilize any version of MoPub, an ad platform, that precedes 4.4.0. These versions contain a security vulnerability.

Please migrate your app(s) to MoPub v4.4.0 or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of MoPub.

The vulnerability was addressed in MoPub 4.4.0. The latest versions of the MoPub SDK can be downloaded here. To confirm the version number if you're building using the Jcenter AAR, you can check your Gradle config and make sure it points to 4.4.0. To confirm the version number if you're building directly from source or not using Gradle, you can check com.mopub.common.MoPub.java for SDK_VERSION.

If you need more information, you can contact MoPub support by emailing support@mopub.com. If you’re using a 3rd party library that bundles MoPub, you’ll need to upgrade it to a version that bundles MoPub 4.4.0 or higher.

To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.

The vulnerability is due to unsanitized default WebView settings. An attacker may exploit this vulnerability by serving a malicious JavaScript code in an advertising creative, making it possible to infer the existences of privacy-sensitive local resources on the devices. For Android devices with the prior versions of API 16, the attacker can even access local resources. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “MoPub.”

While these specific issues may not affect every app that uses MoPub, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Developer Program Policies. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.
 

kailor

Member
Me too. It shows me that i have 3 affected apps as it shows.

Will be an update soon or i will have problems with my google developer account?
 

Zac F.

Member
Thanks @appyet

To all: Don't worry about your Google Developer account. The email you received today was just letting you know about the vulnerability. You are not at risk of having your account deactivated or anything like that. You just wouldn't be able to update your app after July 11th if it still contains the vulnerability. I am sure AppYet will have updated it before then.
 
looks like our apk contains mobup stuff even if it is not activated. could be nice if it is not by default overloading apk (1/ no risk for such bp 2/ apk less "heavy")
 
Top