linphone-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Linphone-developers] Google Play Store rejects app because of Linph

From: Duc Tran Anh
Subject: Re: [Linphone-developers] Google Play Store rejects app because of Linphone old version
Date: Mon, 8 Aug 2016 10:57:54 +0700
Hello Linphone supporter,

We develope an Android app and using your Linphone Source code. But our App is rejected by Google Play. So, we will tell you again the issue from Google Play:
[
Hi Anh,

Thanks for contacting Google Play Developer Support!

I'm sorry you're still having issues with this. 

It looks like you've addressed the TrustManager security vulnerability, but your app is now being rejected due to a vulnerable Libupnp library. 

I can see that Version 4 of your app has the following file in it, which contains a vulnerable version of Libupnp:
File in APK: lib/armeabi-v7a/liblinphone-armeabi-v7a.so

The vulnerable version of Libupnp in this file: 1.6.17 

Please migrate your app(s) to use libupnp v1.6.18 or higher as soon as possible and increment the version number of the upgraded APK. Beginning May 9, 2016, Google Play will block publishing of any new apps or updates that use pre-1.6.18 versions of libupnp.

The vulnerability was addressed in libupnp 1.6.18. The latest versions of the libupnp SDK can be downloaded on the libupnp site, (https://sourceforge.net/projects/pupnp/files/). For help upgrading, see the libupnp support page, (https://www.vitamio.org/en/docs/Tutorial/). If you’re using a 3rd party library that bundles libupnp, you’ll need to upgrade it to a version that bundles libupnp 1.6.18 or later.

Please note that this is the only remaining security vulnerability associated with your app, so as long as this vulnerable library is updated, your app should be in good standing and all security concerns should be properly addressed, (as long as a different security vulnerability isn't introduced with your updated APK). 

I hope this helps! If you have any further questions, please let me know. I'm happy to help.

Regards,
Forrest
Google Play Developer Support
Did you know we offer chat support in English? You can chat with us from Monday through Friday, 6 am to 3 pm PT.

So that we can send you more relevant information, please let us know your role and update your email preferences in the Developer Console.
]

-----------------------------------------------------------------------------------------------------------------------------------
1/ Fixing with old source code:
As your Email confirmation from your side, we followed it. But we can't run it. We don't know why. This is your suggestion:
[
Hi Anh,

You'll be please to know since today we replaced the de.timroes.axmlrpc library by the xmlrpc implementation in liblinphone.

If you update to the latest version, you shouldn't have this issue anymore. Don't forget to update the submodules.
Cheers,
]

-------------------------------------------------------------------------------------------------------------------------------------
2/ We download your new source linphone from GitHub:
We can't build and run with this source. Are you fixing this Library? Is this source running well or not? B/c it doesn't show any errors. App crashed when we run it.
[
https://github.com/BelledonneCommunications/linphone-android
]


Please give us the solution on this. 

Thanks,

On Fri, Jul 22, 2016 at 10:48 PM, Sylvain Berfini <address@hidden> wrote:

Hi Anh,

You'll be please to know since today we replaced the de.timroes.axmlrpc library by the xmlrpc implementation in liblinphone.

If you update to the latest version, you shouldn't have this issue anymore. Don't forget to update the submodules.

Cheers,

Sylvain Berfini
Software Engineer @ Belledonne Communications
Le 21/07/2016 à 09:06, Duc Tran Anh a écrit :
Dear Linphone Experts,

Firstly, appreciate for the opensource you are providing.
I have used your Linphone source for our project, now we submitted app to Google Play Store, but it is rejected because of reason we are using an old Lib in our code that violates a secure issue of Google Policy.

Could you please check the reject detail from Google below?
I know well that you have new version (2016) that solve this issue. But if doing change with this new version, we will re-code our project so much, and it will look imposible. That's why I ask you if there maybe another way like just replace a core of lib that would resolve this problem?

----
Hi Anh,

Thanks for contacting Google Play Developer Support about the security alert you have received with regard to the use of an unsafe implementation of the interface X509TrustManager.

Beginning May 17, 2016, Google Play will block publishing of any new apps or updates containing the unsafe implementation of the interface X509TrustManager.

Version 1 of your app CloseChat contains the following affected code:
Lde/timroes/axmlrpc/XMLRPCClient$1; 

To confirm that you’ve addressed the vulnerability, upload the updated version of the app to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.  

To see a full list of all apps affected by security vulnerabilities, please view the Alerts tab of your developer console.

If you believe this vulnerability resides in a third party library, please notify the third party and work with them to address this.

While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials), and even change the data transmitted on the HTTPS connection. 

I hope this helps! If you have any further questions, please let me know. I'm happy to help.

Regards,
Forrest
Google Play Developer Support
----

Thank you so much Linphone Experts!

Thanks and regards,

--

-------------------------------------

Duc Tran (Mr. )

Tran Anh Duc

OFC Team

Leader / Software Engineer

Email: address@hidden

Skype: ebw_ducta

Cell phone: (+84)986 606 477

 

EBIZWORLD

WORLD ELECTRONIC BUSINESS CO., LTD

APPLICATION OUTSOURCING

WEBSITE - SOFTWARE DEVELOPMENT

GAME DEVELOPMENT

QUALITY ASSURANCE TESTING

DOMAIN - WEB HOSTING


Office: 3rd Floor, SBI Building, Street 3, Quang Trung Software City, Tan Chanh Hiep Ward, District 12, Ho Chi Minh City, Vietnam

Tel: (+848)  371 575 62

Email: address@hidden

Website: www.ebizworld.com.vn



_______________________________________________
Linphone-developers mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/linphone-developers


_______________________________________________
Linphone-developers mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/linphone-developers




--

-------------------------------------

Duc Tran (Mr. )

Tran Anh Duc

OFC Team

Leader / Software Engineer

Email: address@hidden

Skype: ebw_ducta

Cell phone: (+84)986 606 477

 

EBIZWORLD

WORLD ELECTRONIC BUSINESS CO., LTD

APPLICATION OUTSOURCING

WEBSITE - SOFTWARE DEVELOPMENT

GAME DEVELOPMENT

QUALITY ASSURANCE TESTING

DOMAIN - WEB HOSTING


Office: 3rd Floor, SBI Building, Street 3, Quang Trung Software City, Tan Chanh Hiep Ward, District 12, Ho Chi Minh City, Vietnam

Tel: (+848)  371 575 62

Email: address@hidden

Website: www.ebizworld.com.vn

reply via email to
[Prev in Thread] Current Thread [Next in Thread]