Search Unity

Security Warning when uploading APK to Google Play

Discussion in 'Unity IAP' started by Steven_Digixart, Nov 3, 2016.

Thread Status:
Not open for further replies.
  1. Steven_Digixart

    Steven_Digixart

    Joined:
    Apr 22, 2015
    Posts:
    2
    After updating UnityIAP to the latest version (1.9.0), we started to receive warnings from GooglePlay about a security error in the onReceivedSslError implementation.

    Your app is using an unsafe implementation of WebViewClient.onReceivedSslError handler. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.
    Vulnerable classes:
    • com.cm.androidforunity.WebActivity$3
    After looking at the UnityIAP files, it looks like the class causing the issue is in the CloodMoolah aar plugin.(Assets\Plugins\UnityPurchasing\Bin\Android\CloodMoolah.aar)

    Since GooglePlay will stop accepting APK with this security issue starting from November 25, is it safe to disable this plugin when targetting GooglePlay store, or should we revert the UnityIAP version / wait for a fix?

    Edit: After reselecting Google Play in the UnityIAP menu, it disabled the plugin. Which means it was enabled by default after we updated UnityIAP.
     
    Last edited: Nov 3, 2016
  2. ap-unity

    ap-unity

    Unity Technologies

    Joined:
    Aug 3, 2016
    Posts:
    1,340
    Hello @Steven_Digixart,

    Yes, we've had a couple of people alert us to this issue. We will be updating the plugin soon to address these two issues:

    1. The error itself in the CloudMoolah code.
    2. Automatically removing non-google code.

    As you mentioned in your edit, selecting Google play from that menu will remove the unnecessary code.

    Thanks for alerting us to this issue and we apologize for any inconvenience this issue has caused.
     
  3. platinio2007

    platinio2007

    Joined:
    Jul 17, 2015
    Posts:
    17
    Hi guys, and this will be solved? i will need to upgrade my project to the unity newer version to get the updates?? currently i am on 5.3 , thansk :)
     
  4. cgutierrez71

    cgutierrez71

    Joined:
    Oct 15, 2013
    Posts:
    13
    Hello, I have the same problem. I received a message in the developer console after updating my apk file.

    Your app(s) listed at the end of this email have an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.
    .
    .
    .
     
  5. uspdev

    uspdev

    Joined:
    Sep 29, 2016
    Posts:
    5
    Hi i have same issue, help me to fix this...
     
  6. ModOp

    ModOp

    Joined:
    Oct 5, 2016
    Posts:
    1
    @ap-unity
    Is this the solution to this issue? reselecting google play from unityIAP menu?
     
  7. ap-unity

    ap-unity

    Unity Technologies

    Joined:
    Aug 3, 2016
    Posts:
    1,340
    @platinio2007, @uspdev,

    I can't give a specific time frame, but we are aware of this issue and we are working on a resolution.

    @cgutierrez71,

    Thank you for that additional information.

    @ModOp,

    Yes, that should prevent the CloudMoolah plugin from being loading when using the Google Play store, which is where this issue originates. We will solve the underlying issue in an upcoming patch of the plugin.
     
  8. franciscochong

    franciscochong

    Joined:
    Jul 9, 2015
    Posts:
    23
    This was solved per @ap-unity + @Steven_Digixart workaround.
    The message is gone from my developer warnings.
     
  9. quanghits

    quanghits

    Joined:
    Oct 19, 2016
    Posts:
    2
    I disable CloudMoolah plugin for Android to upload play store. App still working.

    It's ok.
     
  10. jarado9

    jarado9

    Joined:
    Sep 24, 2014
    Posts:
    7
    Had this same issue, I managed to fix the apk by making sure in the Window > Unity IAP > Android > , then making sure only Target Google Play is marked with a tick.
    Hope this helps.

    IAP_makeSureTargetIsTicked.png
     
  11. Yonath

    Yonath

    Joined:
    Oct 26, 2015
    Posts:
    16
    I have this same issue. I verified the target Google play in UIAP window and I have still the alert in the Google play console.
     
  12. jarado9

    jarado9

    Joined:
    Sep 24, 2014
    Posts:
    7
    Did you upload new apk? and it can take many hours before the alert goes away.
     
  13. HereIAmItsMe

    HereIAmItsMe

    Joined:
    Jul 16, 2012
    Posts:
    8
    May need to remove CloudMoolah.aar from Plugins/UnityPurchasing/Bin/Android
     
  14. asylumhouse-sg

    asylumhouse-sg

    Joined:
    Mar 27, 2016
    Posts:
    21
    Just wondering, has anyone found a solution?
     
  15. Yonath

    Yonath

    Joined:
    Oct 26, 2015
    Posts:
    16
    I made this and it's working fine with no alert. Thanks!
     
  16. cgutierrez71

    cgutierrez71

    Joined:
    Oct 15, 2013
    Posts:
    13
    Do you recommend what people say regarding to remove CloudMoolah.aar from Plugins/UnityPurchasing/Bin/Android? or we must wait for Unity Technologies official sollution of this issue? Google Play says that the death line to solve this is November 25, otherwise they will block publishing of any new apps or updates that contain this vulnerability.

    Thank you very much,
     
  17. ap-unity

    ap-unity

    Unity Technologies

    Joined:
    Aug 3, 2016
    Posts:
    1,340
    @cgutierrez71,
    The method suggested by jarado9 should resolve this issue for the time being. This will remove the plugin when you apk is created.
    As soon as the new version is finished and tested, we will let everyone know.
     
  18. knuppel

    knuppel

    Joined:
    Oct 30, 2016
    Posts:
    90
    @ap-unity Any updates to solve the issue? I tried to fix it like

    "I managed to fix the apk by making sure in the Window > Unity IAP > Android > , then making sure only Target Google Play is marked with a tick."
    but it didn't help. The Google deadline is November the 25th.
     
  19. jeffkenz

    jeffkenz

    Joined:
    Apr 8, 2013
    Posts:
    12
    any news about this?i get same error & already try only target Unity IAP > Android but still got error ?
     
  20. knuppel

    knuppel

    Joined:
    Oct 30, 2016
    Posts:
    90
    Where is CloudMoolah.aar on a windows systwm located?
     
  21. milox777

    milox777

    Joined:
    Sep 23, 2012
    Posts:
    106
    It's in your project when you import Unity IAP, simply search for "CloudMoolah" and delete it
     
  22. nicholasr

    nicholasr

    Unity Technologies

    Joined:
    Aug 15, 2015
    Posts:
    119
    Hi folks - thank you for reporting this issue - it will be fixed in Unity IAP 1.9.2 planned for this week.
     
    jarado9 likes this.
  23. John3D

    John3D

    Joined:
    Mar 7, 2014
    Posts:
    401
    Good to know. Thanks!
     
  24. cgutierrez71

    cgutierrez71

    Joined:
    Oct 15, 2013
    Posts:
    13
    Thank you very much! It worked for me :)
     
  25. Erikir

    Erikir

    Joined:
    Jul 23, 2013
    Posts:
    7
    Hey nicholasr!, our app just got rejected by google because of this issue :(!
    I was trying to look for the current version installed on our project but couldn't find anything, do you know if Unity IAP with 1.9.2 is already out?
     
  26. ap-unity

    ap-unity

    Unity Technologies

    Joined:
    Aug 3, 2016
    Posts:
    1,340
    nicholasr likes this.
Thread Status:
Not open for further replies.