Security Warning when uploading APK to Google Play

After updating UnityIAP to the latest version (1.9.0), we started to receive warnings from GooglePlay about a security error in the onReceivedSslError implementation.

Your app is using an unsafe implementation of WebViewClient.onReceivedSslError handler. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.
Vulnerable classes:

• com.cm.androidforunity.WebActivity$3

After looking at the UnityIAP files, it looks like the class causing the issue is in the CloodMoolah aar plugin.(Assets\Plugins\UnityPurchasing\Bin\Android\CloodMoolah.aar)

Since GooglePlay will stop accepting APK with this security issue starting from November 25, is it safe to disable this plugin when targetting GooglePlay store, or should we revert the UnityIAP version / wait for a fix?

Edit: After reselecting Google Play in the UnityIAP menu, it disabled the plugin. Which means it was enabled by default after we updated UnityIAP.

 

Hi guys, and this will be solved? i will need to upgrade my project to the unity newer version to get the updates?? currently i am on 5.3 , thansk

 

Hello, I have the same problem. I received a message in the developer console after updating my apk file.

Your app(s) listed at the end of this email have an unsafe implementation of the WebViewClient.onReceivedSslError handler. Specifically, the implementation ignores all SSL certificate validation errors, making your app vulnerable to man-in-the-middle attacks. An attacker could change the affected WebView's content, read transmitted data (such as login credentials), and execute code inside the app using JavaScript.
.
.
.

 

Hi i have same issue, help me to fix this...

 

@ap-unity
Is this the solution to this issue? reselecting google play from unityIAP menu?

 

This was solved per @ap-unity + @Steven_Digixart workaround.
The message is gone from my developer warnings.

 

I disable CloudMoolah plugin for Android to upload play store. App still working.

It's ok.

 

Had this same issue, I managed to fix the apk by making sure in the Window > Unity IAP > Android > , then making sure only Target Google Play is marked with a tick.
Hope this helps.

 

I have this same issue. I verified the target Google play in UIAP window and I have still the alert in the Google play console.

 

Did you upload new apk? and it can take many hours before the alert goes away.

 

May need to remove CloudMoolah.aar from Plugins/UnityPurchasing/Bin/Android

 

Just wondering, has anyone found a solution?

 

I made this and it's working fine with no alert. Thanks!

 

Do you recommend what people say regarding to remove CloudMoolah.aar from Plugins/UnityPurchasing/Bin/Android? or we must wait for Unity Technologies official sollution of this issue? Google Play says that the death line to solve this is November 25, otherwise they will block publishing of any new apps or updates that contain this vulnerability.

Thank you very much,

 

@ap-unity Any updates to solve the issue? I tried to fix it like

"I managed to fix the apk by making sure in the Window > Unity IAP > Android > , then making sure only Target Google Play is marked with a tick."
but it didn't help. The Google deadline is November the 25th.

 

any news about this?i get same error & already try only target Unity IAP > Android but still got error ?

 

Where is CloudMoolah.aar on a windows systwm located?

 

It's in your project when you import Unity IAP, simply search for "CloudMoolah" and delete it

 

Hi folks - thank you for reporting this issue - it will be fixed in Unity IAP 1.9.2 planned for this week.

 

Good to know. Thanks!

 

Thank you very much! It worked for me

 

Hey nicholasr!, our app just got rejected by google because of this issue !
I was trying to look for the current version installed on our project but couldn't find anything, do you know if Unity IAP with 1.9.2 is already out?