PDA

View Full Version : [Android] Google Play Developer libpng warning



tcolligan
16.06.2016, 20:51
I just submitted a new version of my app to the Google Play Store containing the Skobbler SDK and received the following warning:



Hello Google Play Developer,

We detected that your app(s) listed at the end of this email are using an unsafe version of the libpng library. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.

What’s happening

Beginning September 17, 2016, Google Play will block publishing of any new apps or updates that use vulnerable versions of libpng. Your published APK version will not be affected, however any updates to the app will be blocked unless you address this vulnerability.

Action required: Migrate your app(s) to use libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher as soon as possible and increment the version number of the upgraded APK.


It looks like the libngnative.so files that are included with the sdk are actually libpng. In terminal when I use
grep -r -n --text "libpng" . I can see the following info
./app/src/main/jniLibs/x86/libngnative.so:10864:libpng version 1.5.10 - March 29, 2012

Looks like this needs to be updated to v1.5.26 otherwise people are going to start having issues submitting their Android Apps. Any quick fixes or ETA on a solution for this? Thanks!

dandronic
16.06.2016, 21:03
Thanks for sharing - we've also received this warning message for our own apps – we're working towards updating the libpng version (the September timeframe should allow us to properly handle this threat).

gcjames
17.06.2016, 01:02
Thanks for sharing - we've also received this warning message for our own apps – we're working towards updating the libpng version (the September timeframe should allow us to properly handle this threat).
Hi dandronic, are you able to confirm whether this will be an update to the 2.5.1 version, or will it only be fixed in the 3.0+ releases?

dandronic
17.06.2016, 08:56
We will make the fix for both 2.5.1 and 3.0

openminds
18.06.2016, 16:52
Please consider a timely update so that we can tackle this issue as quickly as possible. Ideally as a separate patch-version that doesn't tackle anything else.

September is not that far away - especially since summer holidays also happen to be within this timeframe.

Adela_Silvia
24.06.2016, 09:51
For our SDK users the estimate timeframe to release this fix is the first week of August. We’ve added this issue as a priority on our list.

dandronic
19.07.2016, 15:55
The hotfix for 2.5.1 is already available: http://forum.skobbler.com/showthread.php/7563-Latest-2-5-1-builds (http://forum.skobbler.com/showthread.php/7563-Latest-2-5-1-builds)

The 3.0.0 fix will be part of the 3.0.1 update (in August)

jav974
15.09.2016, 11:57
Any news regarding the patch for v3.0 ? Or a roadmap to the 3.0.1 ? I am facing this issue with an app in production on the playstore with the sdk version 3.. Thanks !

dandronic
15.09.2016, 12:04
The 3.0.1 release is already available - containing the libpng update: please see http://forum.skobbler.com/showthread.php/7827-Android-3-0-1-release-candidate-build

jav974
15.09.2016, 17:47
Thanks a lot !