Google Play store refused app based on a vulnerability, how can I prove I have removed it?

Question

I downloaded the open source project Linphone, and build it accordingly, after building I imported the project in Eclipse and try some customisations in layouts, now I want to upload the app to Play store, but this error or rejection I received:

Hello Google Play Developer,

We rejected your app, with package name org.xxxxxx, for violating our Malicious Behavior or User Data policy. If you submitted an update, the previous version of your app is still available on Google Play.

This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.

Vulnerability APK Version(s) Portable SDK for UPnP Devices The vulnerabilities were fixed in libupnp v1.6.18 and higher. For more information and next steps, please see this Google Help Center article.

2511 To confirm you’ve upgraded correctly, submit the updated version of your app to the Developer Console and check back after five hours to make sure the warning is gone.

While these vulnerabilities may not affect every app that uses this software, it’s best to stay up to date on all security patches. Make sure to update any libraries in your app that have known security issues, even if you're not sure the issues are relevant to your app.

Apps must also comply with the Developer Distribution Agreement and Developer Program Policies.

If you feel we have made this determination in error, please reach out to our policy support team.

How can I update the upnp sdk in linphone Android project and resolve this issue? i changed the files of libupnp in submodules/externals/build/libupnp with latest version files ,

but still this rejection is faced from updated version :

here is the build.gradle

EDITED

build.gradle

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:1.0.0'
    }
}
apply plugin: 'android'

dependencies {
    compile fileTree(dir: 'libs', include: '*.jar')
}

android {
    compileSdkVersion 22
    buildToolsVersion "20.0.0"

    sourceSets {
        main {
            manifest.srcFile 'AndroidManifest.xml'
            java.srcDirs = ['submodules/linphone/mediastreamer2/java/src','submodules/linphone/java/j2se','submodules/linphone/java/common','submodules/linphone/java/impl','submodules/externals/axmlrpc/src/main/java','submodules/linphone/coreapi/help/java','src']
            resources.srcDirs = ['submodules/linphone/mediastreamer2/java/src','submodules/linphone/java/j2se','submodules/linphone/java/common','submodules/linphone/java/impl','submodules/externals/axmlrpc/src/main/java','submodules/linphone/coreapi/help/java','src']
            aidl.srcDirs = ['submodules/linphone/mediastreamer2/java/src','submodules/linphone/java/j2se','submodules/linphone/java/common','submodules/linphone/java/impl','submodules/externals/axmlrpc/src/main/java','submodules/linphone/coreapi/help/java','src']
            renderscript.srcDirs = ['submodules/linphone/mediastreamer2/java/src','submodules/linphone/java/j2se','submodules/linphone/java/common','submodules/linphone/java/impl','submodules/externals/axmlrpc/src/main/java','submodules/linphone/coreapi/help/java','src']
            res.srcDirs = ['res']
            assets.srcDirs = ['assets']
            jniLibs.srcDir 'libs'

            java.exclude '**/mediastream/MediastreamerActivity.java'
        }

        // Move the tests to tests/java, tests/res, etc...
        instrumentTest.setRoot('tests')

        // Move the build types to build-types/<type>
        // For instance, build-types/debug/java, build-types/debug/AndroidManifest.xml, ...
        // This moves them out of them default location under src/<type>/... which would
        // conflict with src/ being used by the main source set.
        // Adding new build types or product flavors should be accompanied
        // by a similar customization.
        debug.setRoot('build-types/debug')
        release.setRoot('build-types/release')
    }
}

My code works simply fine, app doesn't crash. The logcat displays only verbose information. So what's the problem with libupnp versions? Google Play are simply not accepting my app, even though I removed libpnp files from submodules, run the app on device, found it works great, then update version code, generated signed apk, then upload version on Google Play developer. They reply to say they are refusing to publish because libpnp contains vulnerability; however my project doesn't contains any file of libupnp.

This is what they reffered to: support.google.com/faqs/answer/6346109; I did all the upgrades but still refusal. I deleted file of upnp library in project, removed the referenced code for libupnp from the project, but still they say your app is vulnerable. Surely when there are no files in the project and no code, then there is no vulnerability?

Please tell us more about how you build your project, for example do you use gradles dependency resolution? Posting the build.gradle file would be a good start. — Henry, Aug 31 '16 at 18:28
i followed the instruction on linphone documentation for building — Addi.Star, Aug 31 '16 at 18:55
If you want help you should try to make it easy to help you. Do you really expect us to go out for a search what instructions you could have used? — Henry, Aug 31 '16 at 18:59
i build the project in eclipse adt , it is working , but playstore rejects it , due to some upnp library , — Addi.Star, Aug 31 '16 at 19:14
As per Henry's advice: **Posting the build.gradle file would be a good start**. Please make that the very next thing you do, by editing the question. — halfer, Aug 31 '16 at 21:04
@halfer , Henry build.gradle added . issue is still there , i cannot upload the apk to google play due to this — Addi.Star, Aug 31 '16 at 21:20
i even updated the u pnp library under submodules/externals but still could not publish the apk — Addi.Star, Aug 31 '16 at 21:23
I don't know Android, but I was expecting to see the versions of Linphone libraries (which presumably are before libupnp v1.6.18). My guess is that you need to upgrade to later versions to avoid a vulnerability? cc @Henry — halfer, Aug 31 '16 at 21:37
later version simply dont build , only i get to work this one , working fine over my device, now geting problems in launching — Addi.Star, Aug 31 '16 at 21:39
Err, **what version of this library are you using?** This is like pulling teeth... — halfer, Aug 31 '16 at 22:32
`later version simply [doesn't] build` - what is the problem with it? Do you have failure logs? Can we see them in your question? — halfer, Aug 31 '16 at 22:33
where i can found failure logs , my code works simply fine , app doesn't crash , works well . logcat displays only verbose.... whats with libupnp versions , google play simply not accepting , i removed libpnp files from submodules , run the app on device , works great , then update version code , generated signed apk , then upload version on google play developer , they reply with refusing the publish that libpnp contains vulnerebility , but project doesn't contains any file of libupnp , then why refused ? — Addi.Star, Aug 31 '16 at 22:53
^ That is good detail that can be added to your question. If you are sure that Google is refusing to publish on mistaken grounds then show us why you believe they are wrong. (Note if you want me to see your comments, please use my handle `@halfer` in future, thanks). — halfer, Sep 01 '16 at 19:54
@halfer this is what they reffered to https://support.google.com/faqs/answer/6346109 but i did all the upgrades but still refusal , i deleted file of upnp library in project , removed the referenced code for libupnp from the project , but still they say your app is vulnerable , i mean when there are no files in the project no code , then where comes the vulnerability — Addi.Star, Sep 01 '16 at 21:39
Note also that "the app works fine" is not relevant. It either contains the vulnerable library or it does not. Maybe you have other dependencies that bring in this library? — halfer, Sep 01 '16 at 21:50
how can i exclude this library , i dont know why linphone guyz doesn't do support for their open source project . well i made a lot of changings in code , commented out each reference to upnp library , which could be evoked at runtime , but now there no code for upnp , will it now can be published on play store ???? — Addi.Star, Sep 01 '16 at 21:55
Have you tried contacting linphone to get them to update their library? Surely you're not the only one with this issue. — Antimony, Sep 02 '16 at 17:18

score 2 · Answer 1 · answered Sep 02 '16 at 17:25

2

Unfortunately, liblinphone itself includes the vulnerable library.

As of 9/2/16, downloading linphone-latest.apk from linphone.org and searching inside shows

UPnP/1.0, Portable SDK for UPnP devices/1.6.17

Until they update, there's not much you can do about it, other than ask them to update.

answered Sep 02 '16 at 17:25

Antimony

37,781
10
100
107

i think they have upgraded their submodules , and also libupnp like about 7 months ago which have file v 1.6.19 but those file doesn't seem to compile and build . i am about to try those now , starting from scratch might help.. – Addi.Star Sep 02 '16 at 17:38

score 0 · Accepted Answer · answered Sep 07 '16 at 23:01

0

Okay guys i have solved the problem and placing here the answer to my own question , well all i had to do is download the updated files from git , found easily on internet , then i had to rebuild the project , and latest version of linphone is having libupnp v1.6.9 which avoids vulnerability . so now having no problem at all.

answered Sep 07 '16 at 23:01

Addi.Star

475
2
15
36

when you upload the project with latest linphone version , the vulnerability issue also fades away , and google store publishes the app. – Addi.Star Sep 08 '16 at 23:33

score 0 · Answer 3 · answered Sep 19 '16 at 15:59

@Addi.Star Thanks for sharing the information. I checked this issue and found they updated the Upnp Lib to 1.6.19 which also commented in the upnpconfig.h library version (string) e.g. "1.3.0" UPNP_VERSION_STRING "1.6.19" I used that and also updated the Submodules. Than I compiled it with the latest version of SDK released by LinPhone but the app still rejected. LinPhone also suggested me to use the Lib and Update the Submodules but nothing helps when the Lib version itself defines the 1.6.19

You need to Download and startover all again . for updated version . — Addi.Star, Apr 06 '17 at 00:30

Google Play store refused app based on a vulnerability, how can I prove I have removed it?

3 Answers3