Google play security alert!

Marcel · February 18, 2016, 4:42pm

Same here! - Can mobileCore fix it by updating their certificate?

tacchan23 · February 18, 2016, 5:17pm

Now the Notice appeared in my Console too for all Apps with MobileCore. Anybody contacted MobileCore support yet?

apdallahy3 · February 18, 2016, 5:39pm

Same thing here for all my apps any solutions ?

RockstarDev · February 18, 2016, 5:40pm

That confirms the issue is with mobilecore. That sucks man!!

RockstarDev · February 18, 2016, 5:42pm

I already mailed my manager but she is slow to respond.

RockstarDev · February 18, 2016, 5:45pm

I have also mailed the google play support team, once they get back at me will update for the same.

tacchan23 · February 18, 2016, 6:21pm

I just got this email from Google

Hello Google Play Developer,

Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”

Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.

To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.

While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

Regards,

The Google Play Team

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.

Affected app(s), version(s), and class(es):

com.xxxxx.xxxxx.xxxxx.xxxxxx
7
com.ironsource.mobilcore.C$1;

Frango · February 18, 2016, 7:57pm

Same here
Any solutions?

rayleigh · February 18, 2016, 8:04pm

same looks like its because the sticky ads ?
I will search a new ad network mobilecore is for me to unsafe.
Because i dont that google block my apps

kell · February 18, 2016, 8:44pm

tacchan23:

I just got this email from Google

Hello Google Play Developer,

Your app(s) listed at the end of this email use an unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

To properly handle SSL certificate validation, change your code in the checkServerTrusted method of your custom X509TrustManager interface to raise either CertificateException or IllegalArgumentException whenever the certificate presented by the server does not meet your expectations. For technical questions, you can post to Stack Overflow and use the tags “android-security” and “TrustManager.”

Please address this issue as soon as possible and increment the version number of the upgraded APK. Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.

To confirm you’ve made the correct changes, submit the updated version of your app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.

While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

Regards,

The Google Play Team

©2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.

Affected app(s), version(s), and class(es):

com.xxxxx.xxxxx.xxxxx.xxxxxx
7
com.ironsource.mobilcore.C$1;

I’m just, I have received emails accounts, although not all, but the error was pointed directly at Mobilecore.

By the way this morning update an app removing Mobilecore SDK. And even with the warning continues.

kell · February 18, 2016, 8:45pm

expect to Mobilecore rule, I imagine that will update your SDK

apdallahy3 · February 19, 2016, 6:51am

Alert Removed when i removed mobilecore

RockstarDev · February 19, 2016, 7:34am

Great. Thanks for updating us.

vijay · February 19, 2016, 8:10am

Removed mobilecore and released an Update. Later there is no any new alerts coming to my console. But the OLD alerts are remained. Anyhow there are of previous APK versions.

Anteos · February 19, 2016, 8:20am

Anyone with an AM of mC online in Skype? I just added my AM and she is not online yet.
Have you told them about the problem? Removing a good network is not the solution

vijay · February 19, 2016, 8:40am

Yes. What you said is true. Me too waiting for the solution from them.

RATTY · February 19, 2016, 10:39am

Hello there,

can anyone tell me what this google alert means: Your app is using an unsafe implementation of the X509TrustManager interface with an Apache HTTP client, resulting in a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.
Affects APK version1. I don’t even know what to do or how to fix it…help.

mmmkkksss · February 19, 2016, 10:41am

dont spam and just read this thread

RATTY · February 19, 2016, 10:49am

ok…first i’m using a forum. just a bit frustrated with the alert. i only have one app on google play.

airbound · February 19, 2016, 11:24am

Just got a reply from my MC account manager:

[i]Dear Developer,

We are aware that in preparation of its enforcement this upcoming May, Google has been issuing more security alerts than usual. We are constantly updating and improving our SDK and we assure you that required adjustments or any needed changes will be done as soon as possible. Please feel free to contact us with any concern or question you may have.

Best regards,

ironSource Mobile Ltd.[/i]

So we just have to wait until they update the SDK.