Security vulnerability in games built with 2018.4, 2019.1 and 2019.2

We got rejected by Google Play for updating a game. The reason was that somwhere in the code, something is allowing untrusted certificates. This opens up for man-in-the-middle attacks in all apps using SSL networking.

After a day with research we finally got the game approved by Google. To get it approved, we had to remove the UDP and UnityChannel folders from Plugins/Android. We did this after decompiling the apk. We found that UDP was referencing X509TrustManager in two places.

After going through the latest release notes, I discovered that Unity recently "fixed" a handshake issue in UnityWebRequest. Putting two and two together, I think this change has introduced the very serious vulnerability issue. Link to case: https://issuetracker.unity3d.com/issues/rest-request-to-ssl-server-failed-to-receive-data

The vulnerability is then either only in the UDP/UnityChannel files, or - much worse - applied to the complete UnityWebRequest api. If the latter is the case, and since Unity has backported the fix to all versions of 2019 and 2018.4, we're effectively shut out from updating our other game that uses UnityWebRequest for multiplayer networking.

 

Have you submitted a bug for this? It's very serious.

 

@Unity-ChiBoon Cough cough.

Is there a way to get in touch with the Unity security team?

 

https://unity3d.com/security

 

is this fixed?

 

Yes