This information is intended for developers of apps that utilize versions of Airpush, an ad platform, that precede 8.1, 8.11, 8.12, or 8.13 4.4.0. These versions contain a security vulnerability. Please migrate your app(s) to 8.1, 8.11, 8.12, or 8.13 or higher as soon as possible and increment the version number of the upgraded APK.
What’s happening
Beginning July 11, 2016, Google Play started to block the publishing of any new apps or updates that use older versions of Airpush. Please refer to the notice on your Play Console. After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
Action required
- Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
- Update your affected apps and fix the vulnerability.
- Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Additional details
The vulnerability was addressed in 8.1, 8.11, 8.12, and 8.13. The latest versions of the Airpush SDK can be downloaded here from your Airpush developer portal. You can confirm the version number by cross checking the SDK version and release date in the “readme.txt” file inside the ZIP. The Integration doc links for the respective versions are 8.1, 8.11, 8.12, and 8.13.
If you need more information about upgrading, you can contact Airpush by using the Helpdesk link when logged into your Airpush account. If you’re using a 3rd party library that bundles Airpush, you’ll need to upgrade it to a version that bundles 8.1, 8.11, 8.12, and 8.13 or higher.
The vulnerability is due to unsanitized default WebView settings. An attacker may exploit this vulnerability by serving a malicious JavaScript code in an advertising creative, making it possible to infer the existences of privacy-sensitive local resources on the devices. For Android devices with the prior versions of API 16, the attacker can even access local resources. For other technical questions relating to the vulnerability, you can post to Stack Overflow and use the tags “android-security” and “Airpush.”
While these specific issues may not affect every app that uses Airpush, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.
Apps must also comply with the Developer Distribution Agreement and Developer Program Policies.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.