topic Re: Google Play security warning in ArcGIS AppStudio Questions

Google Play security warning

BrianHovis — Thu, 16 Jun 2016 17:45:29 GMT

I received the following message today from Google Play. I assume that the file to which they refer is part of the template. I know you are making updates, so perhaps this is already included.

Hello Google Play Developer,

We detected that your app(s) listed at the end of this email are using an unsafe version of the libpng library. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.

What’s happening

Beginning September 17, 2016, Google Play will block publishing of any new apps or updates that use vulnerable versions of libpng. Your published APK version will not be affected, however any updates to the app will be blocked unless you address this vulnerability.

Action required: Migrate your app(s) to use libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher as soon as possible and increment the version number of the upgraded APK.

Next steps

Download the latest version of libpng from the libpng website.
Sign in to your Developer Console and submit the updated version of your app.
Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.

The vulnerability stems from an out of bounds memory access that could potentially lead to code execution. Versions 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 are affected.

You can read more about the vulnerability in CVE-2015-8540. For other technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”

While these specific issues may not affect every app that uses libpng, it’s best to stay up to date on all security patches.

We’re here to help

If you feel we have sent this warning in error, you can contact our developer support team.

Regards,

The Google Play Team

Affected app(s) and version(s) are listed below. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

com.esri.appdede77e19d354ae09a093d94937a760e 1000006

Re: Google Play security warning

JasonKiesel — Thu, 16 Jun 2016 18:29:44 GMT

When will this be addressed? This is a showstopper issue for us. Please advise. Thank you.

Re: Google Play security warning

BrianHovis — Thu, 16 Jun 2016 19:17:50 GMT

Hi, I am sure ESRI advisers will let us know. I am just reporting what happened to me as a user. Sathya Prasad

Re: Google Play security warning

SathyaPrasad — Thu, 16 Jun 2016 22:36:49 GMT

AppStudio team and the ArcGIS Runtime team are looking into this issue. We will update soon.

Just to clarify:

Only new apps and update to existing apps submitted on Google Play (after Sept 2016) will be affected by this announcement. Current apps will continue to be available and users can search and download. They have given us sufficient time to handle the issue.

Re: Google Play security warning

SalihYalcin — Fri, 17 Jun 2016 06:04:05 GMT

I got this notification too. How did you detect that esri library use libpng library ? Google play developer console only says that your app affected due to the previous version of libpng. I ask this question because I use many libraries in my project.

Thanks in advance

Re: Google Play security warning

BrianHovis — Fri, 17 Jun 2016 17:58:54 GMT

Hello, I use the AppStudio template and only have one app. I guessed that the libpng warning was related to the template, and therefore out of my control. I was glad to see that the AppStudio and ArcGis Runtime teams are on top of this and will have it all handled by September.

Re: Google Play security warning

AkhilSharma — Mon, 20 Jun 2016 21:17:14 GMT

i am also having the same issue
Hopefully it gets fixed soon

Re: Google Play security warning

AkhilSharma — Mon, 20 Jun 2016 21:19:19 GMT

I used the following command in Terminal on my Mac

unzip -p arcgis-android-v10.2.8.aar | strings | grep "libpng"

This will show you the version of libpng used in the aar/jar/apk file

Re: Google Play security warning

nakulmanocha — Mon, 27 Jun 2016 15:49:00 GMT

FYI- An official defect with Support has been logged for this issue # BUG-000097435 : Vulnerability with libpng for Google Play Android .

Re: Google Play security warning

DominicBestler — Thu, 21 Jul 2016 15:42:29 GMT

Nakul Manocha Where can I find this Bugreport?

Re: Google Play security warning

AkhilSharma — Mon, 25 Jul 2016 16:06:15 GMT

FYI this issue has been fixed in version 10.2.8-1

Google Play security warning due to the libpng library version · Issue #172 · Esri/arcgis-runtime-samples-android · GitH…

Re: Google Play security warning

nakulmanocha — Thu, 28 Jul 2016 00:13:03 GMT

It is supposed to show up on the Esri Support Home page. Unfortunately, it is not public yet. But rest assured the team is working on it to get it fixed.

Re: Google Play security warning

MarikaVertzonis — Wed, 17 Aug 2016 04:00:40 GMT

The runtime fix has now been applied to the AppStudio cloud Make service. You do not need to install a new version of AppStudio to make use of this fix - just build your app again with cloud Make.