16

This recently popped out pre-launch report, once I published minor update to app.

enter image description here

I've seen also couple of similar recently in other projects, with class names obfuscated in exactly same name (bjqm.* , bpce.*).

I wonder whats causing it (which dep)? Note that it's dynamically loaded code. These classes are nowhere to be seen in "obfuscation mapping.txt", I didn't catch classes either in heap dump. Also I've tried to submit app without obfuscation into internal builds, but these classes are still scrambled / obfuscated in pre-launch report.

It seems Google has updated static analyzers recently as minor change I did in codebase doesn't cause it.

Erkki Nokso-Koivisto
  • 1,203
  • 15
  • 19
  • #erkki Nokso-Koivisto As far as PendingIntent issue is concerned. _Activity_Recognition_Flutter has this PendingIntent pendingIntent Otherwise, in my project I don't see any direct ref in any of the package this Unsafe Encryption , relating public-key encryption requirement – Devaski Apr 25 '23 at 17:50
  • Thanks, but it's not Flutter dependency in my case (PendingIntents are quite popular in 3rd party SDKs). I'm looking at exactly same classnames reported under RevenueCat, and user fdx-76333c claiming having Google deps only.. so could this be due outdated Google dep (firebase-x, play-services-x.. ).. – Erkki Nokso-Koivisto Apr 25 '23 at 18:16
  • 1
    I am getting the EXACT same issue, with the EXACT same names bjqm.c and bpce.b... its very strange. Will also do a re-upload and see if it works – Zee Apr 26 '23 at 11:58
  • I am getting exact issue too with same classes have you found any clue ? – Radwa Apr 27 '23 at 08:29
  • @radwa did you try resubmitting the app, which fixed it for me? – Erkki Nokso-Koivisto Apr 27 '23 at 09:45
  • I did actually I am wafting for PLR right now , but you know if it doesn't appear now it might pop up next time , I was asking if its just an issue resolved by google it is really a security error we need to resolve. – Radwa Apr 27 '23 at 11:04
  • I have exactly the same issue and same file name, no ads in my app, i updated Android libraries but no idea why is this happening. I tried to re submit again and i still have the same issue – Javier May 05 '23 at 20:28
  • 1
    I just got this warning even though I didn't have this warning a week ago when I submitted another update. Very similar code, just minor changes. I did update some ad network libraries. Anyone know how I can track which libraries might be causing this? – casolorz May 08 '23 at 13:56
  • I resubmitted and still get the same issue. I do not use Flutter (just plain old android studio project). I do use some c++ libs. No ads. I am getting it in two projects, they have the following gradle libs in common: ML text recognition, camera2, play-services-location, core-splashscreen, about libs (and some others). Also would like to know how to track down offending lib – Zee May 10 '23 at 07:45
  • 1
    Maybe it is com.google.android.gms:play-services-basement dep (it's a subdep of play-services-location, firebase-message & others). It seems to have following fixed in 18.0.2; "The latest updates to the play-services-basement library improve security on signature verification and address the mutable PendingIntent vulnerability.". @Zee if you could try bumping play-services-location to latest (21.0.1). Use “./gradlew app:dependencies” to test you have play-services-basement >= 18.0.2 in project. I upgraded play-services-location from 17.0.0->21.0.1 and basement is now 18.1.0 from 17.0.0 – Erkki Nokso-Koivisto May 11 '23 at 08:24
  • @ErkkiNokso-Koivisto It seems that the location was already on the latest, but the ML text recognition was not - I updated all my gradle libs then ensure basement was 18 as you suggested. It SEEMS to have worked. You should really add it as an answer and maybe claim that sweet bounty. – Zee May 11 '23 at 12:07
  • @zee nice if it worked, was ML text really depending on old version of play-services-basement or was it some of your other google deps? – Erkki Nokso-Koivisto May 11 '23 at 12:17
  • 1
    @ErkkiNokso-Koivisto if I undo the upgrade, it seems to be depending on basement 18.1.0... so now im not sure. But the error is still now showing in Play :( – Zee May 11 '23 at 12:32
  • 1
    I'm on `18.2.0` for `base` and `18.1.0` for basement and got the pre launch report error last night. I found out you can upload the bundle and not submit it for review and it still generates the pre launch report so I'm just testing that way. – casolorz May 11 '23 at 14:41
  • Does anyone know if the APK will be accepted or rejected with this issue? So far I've only sent for review APKs that didn't have this issue on the pre launch report. – casolorz May 11 '23 at 18:24
  • That https://github.com/h0rd7/PendingIntentScan tool somebody was proposing (but deleted the answer) could lead to correct direction.. it's discovering pending intent vulnerabitly in app pointing in gms.GoogleApiAvailabilityLight regardless play-services-basement is updated to 18.1.0. Maybe once that is resolved (by upgrading deps, compilesdk or what ever) the other issues gets fixed as well. – Erkki Nokso-Koivisto May 12 '23 at 15:27
  • 1
    I submitted an update with `basement` `18.2.0` and it went through without triggering that pre-launch issue, however I had other bundles go through in the past so I don't know for sure that the issue was addressed. – casolorz May 12 '23 at 15:34
  • interesting, looking at mvnrepository there are no known vulnerabilities since v18.0.1 of play-services-basement – Erkki Nokso-Koivisto May 12 '23 at 17:41
  • Just tried another update with `18.2.0` and it got the pre-launch issue. – casolorz May 12 '23 at 21:09
  • haven't got the error in PLR since resubmitting the app (with zero changes).. I wonder could it have been just false warning on Google side and then somebody "white listing" the app (haven't yet got confirmation). I was asking about exactly same error in Github, and it seemed to relate "unsafe" use of AES. Maybe one could verify not having KEY or IV hard coded in codebase or use of AES-ECB. support.google.com/faqs/answer/9450925 – Erkki Nokso-Koivisto May 14 '23 at 19:39
  • Have you submitted multiple times? For me it happens every other bundle upload. I upload, wait for the report to be done, if it gives the errors then I make a new build with a new version code, upload again and it doesn't give me the error. – casolorz May 15 '23 at 16:10
  • I've submitted 5 builds, 2 first had this issue in PLR. Could it depend on which datacenter build ends up for analysis :) – Erkki Nokso-Koivisto May 15 '23 at 16:45
  • Answer from Google Play support: "I see your app was resubmitted earlier and has been approved. Please note: in some instances, the warning may continue to be displayed after the review has been completed. If you successfully resolved the issue, no further action is required and you DO NOT need to contact us about this warning." – Erkki Nokso-Koivisto May 18 '23 at 09:22
  • @ErkkiNokso-Koivisto so did you have an apk rejection because of this issue? Or just a warning on the pre-launch report? – casolorz May 18 '23 at 14:21
  • @casolorz didn't submit builds with PLR issue further than internal track – Erkki Nokso-Koivisto May 20 '23 at 07:28
  • 1
    I think they might have fixed it. I've uploaded 3 bundles and none of them got this issue on the pre launch report. – casolorz Jun 05 '23 at 17:02

4 Answers4

2

I am having EXACTLY the same issue with completely identical messages, but they seem to appear randomly. I successfully sumbitted the latest version of my app yesterday and it was published to the Store. When I look at that release in the Dashboard this morning, the two errors have been added. The same happened for a previous release. What is going on?

By the way, as a newbie, I wanted to add a comment to the original question, but I'm not allowed to. Apologies if adding an answer isn't correct protocol.

macrotech
  • 21
  • 3
  • Is this leading to an apk rejection? I only have the pre-launch report so far, nothing else. Edit: to answer my own question, nope, it didn't lead to an apk rejection. – casolorz May 08 '23 at 14:27
  • So yesterday I uploaded two bundles but only released one. I just realized the one I never released is the one that triggered the alert, so I don't actually know if that would lead to an apk rejection. – casolorz May 10 '23 at 00:18
1

I resubmitted another build of app with zero changes, and "Unsafe encryption" and "Implicit Pending Intent" errors are gone :)

Erkki Nokso-Koivisto
  • 1,203
  • 15
  • 19
1

Not sure if it was luck or our action but, using Unity and Easy Save 3 plugin, we suffered this issue. After updating Easy Save 3 plugin to its latest version, Google Play stopped complaining.

Just in case this information is helpful for somebody

manelizzard
  • 1,060
  • 8
  • 19
1

I had the same problem as you bjqm.c, bjqm.d, bpce.b

after that I changed SharedPreference to EncrytedSharedPreference and submitted an update. And all warnings are gone.

EncryptedSharedPreference Google doc

if you use SharedPreference, you can try this. good luck

StarCue
  • 63
  • 9
  • Were you doing some encryption stuff with `SharedPreference` or do you think the library was doing something? – casolorz May 24 '23 at 20:40
  • Previously I used `SharedPreference` and no encryption. After that I encrypted the `SharedPreference` using `EncryptedSharedPreference` and all warnings went away. I just followed the recommendations in the google docs for warnings. – StarCue May 25 '23 at 04:49