security vulnerability - please update mopub lib

[mobilino]

Hi,

I received the following email. Could you update the lib and let us know when the updated version will be available?

Thanks for maintaining this plugin!

/Christof

Hello Google Play Developer,

Your app(s) listed at the end of this email utilize a version of the ad platform MoPub that contains a security vulnerability. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

Please migrate your app(s) to MoPub v4.4.0 or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use pre-4.4.0 versions of MoPub.

The vulnerability was addressed in MoPub 4.4.0. The latest versions of the MoPub SDK can be downloaded here. You can confirm the version number by checking in MoPubUtils class. To confirm the version number, please see this help center page.

If you need more information, you can contact MoPub support by emailing support@mopub.com. If you’re using a 3rd party library that bundles MoPub, you’ll need to upgrade it to a version that bundles MoPub 4.4.0 or higher.

To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.

The vulnerability is due to unsanitized default WebView settings. An attacker may exploit this vulnerability by serving a malicious JavaScript code in an advertising creative, making it possible to infer the existences of privacy-sensitive local resources on the devices. For Android devices with the prior versions of API 16, the attacker can even access local resources. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “MoPub.”

While these specific issues may not affect every app that uses MoPub, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Developer Program Policies. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

Regards,

The Google Play Team

©2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043

[jaanguita]

I'm in the same situation... will this be updated?

[floatinghotpot]

I’ve just noticed this issue.

I seldom update MoPub plugin before, as the maintaining work of MoPub things is harder than other Ad networks, as the MoPub guys don’t provide binary jar or framework package, but lots of source code files. I have to create projects to build jar and framework each time. They are really lazy. :-(

As it’s a blocking issue this time, I will try to update it to latest SDK. Hope they still keep the interface compatible.

[mobilino]

Hi Floatinghotpot,

I hope the update is working out? I am planning my next release and it would be great to know your thoughts on when it will be ready?

/Christof

[jaanguita]

Hi Floatinghotpot,

Is there any news about this?

thanks in advance.

[jaanguita]

We are still waiting... Any news on this?

Thanks.

[VincentPeraud]

Hi Floatinghotpot,

Are you dead? Can you please update the lib?

Thanks

[floatinghotpot]

Thanks, I am still alive, but I really hate to maintain mopub stuffs, as they did not provide binary framework and libs. They only provide source code, it's not my duty to build and maintain their lib for every their release, it's boring to death.

[VincentPeraud]

I totally agree with you but I think it's yours to maintain your plugin, now it doesn't allow me to publish my app to the Play Store, and I have given you money for purchasing a licence !
You can tell me how to build the jar file and I'd be glad to contribute :)

[raytrask]

@floatinghotpot, how can we @VincentPeraud , @jaanguita, @mobilino help? ?erhaps if using the code did not require a professional license you could get more help.

On another front:
Typically, people who decide to stop supporting software decide to truly open it up for all. Perhaps we can discuss the pros and cons of this with users of the other plugins so the can understand what to expect from paid licenses.

GoogleAds PluginPro, for Google AdMob/DoubleClick.
iAd PluginPro, for Apple iAd.
FacebookAds PluginPro, for Facebook Audience Network.
FlurryAds PluginPro, for Flurry Ads.
mMedia PluginPro, for Millennial Meida.
MobFox PluginPro, for MobFox.

Thanks in advance,

Like a said let us know how to help and what will work best for all.

[floatinghotpot]

Sorry, I am not aware that you have a license for this plugin. As you are a commercial customer, I will find a solution and provide support.

[jaanguita]

Just to know... i am a commercial customer too, waiting for an update.

[raytrask]

I too am a commercial customer. Here is what my app just got from google when I submitted my app.

Hello Google Play Developer,

We rejected "your app", for violating our Malicious Behavior or User Data policy. If you submitted an update, the previous version of your app is still available on Google Play.

This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.

Vulnerability APK Version(s)
MoPub
The vulnerability was fixed in MoPub v4.4.0. You can download the latest version of MoPub here. For more information and next steps, please see this Google Help Center article.

10000
To confirm you’ve upgraded correctly, submit the updated version of your app to the Developer Console and check back after five hours to make sure the warning is gone.

While these vulnerabilities may not affect every app that uses this software, it’s best to stay up to date on all security patches. Make sure to update any libraries in your app that have known security issues, even if you're not sure the issues are relevant to your app.

Apps must also comply with the Developer Distribution Agreement and Developer Program Policies.

If you feel we have made this determination in error, please reach out to our policy support team.

Best,

The Google Play Team

[raytrask]

Is there an ETA on the update? If needed we would be glad to help.

[floatinghotpot]

Sorry for delayed for days. I am now start working on it.

It may takes some time to get it works or blocked. So I will paste my progress and referenced materials here.

Step 0, Read GitHub SDK Doc

I looked into MoPub github repo:
https://github.com/mopub/mopub-android-sdk
https://github.com/mopub/mopub-ios-sdk

And their documentation here:
https://dev.twitter.com/mopub/ios/getting-started

It looks MoPub now improves a lot. They also provides android library for gradle via jCenter, and ios SDK via Cocoapods.

But not sure if they changed the API or not. Anyway, I need start from getting the plugin dependencies upgraded and built pass first.

Step 1, Modify Plugin, Android Part

Instead of building jar from source code, I attempt to use aar for gradle from jCenter. After google with keyword "cordova jcenter", I found this article (and thanks to the first comment).

http://ourcodeworld.com/articles/read/135/how-to-add-a-dependency-maven-or-jcenter-to-an-android-cordova-plugin

Then I write a src/android/plugin.gradle:

repositories {
  jcenter()
}

Then add following content into plugin.xml, and remove the mopub jar:

      <framework src="src/android/plugin.gradle" custom="true" type="gradleReference"/>
      <framework src="com.mopub:mopub-sdk:4.9.0@aar" />

Step 2, Modify Plugin, iOS Part

Instead of building iOS framework from source code, I attempt to use cocoapods, as their doc mentions the SDK can be used like this:

pod 'mopub-ios-sdk'

After google with keyword "cordova cocoapods", I am lucky enough to find a good tool plugin here (thanks to @blakgeek):
https://github.com/blakgeek/cordova-plugin-cocoapods-support

So I write following content into plugin.xml, and remove the old MoPub framework and resource files:

<dependency id="cordova-plugin-cocoapod-support"/>

<pods-config ios-min-version="9.0" uses-frameworks="true"/>
<pod id="mopub-ios-sdk" />

Step 3, Try Building Android App

Now, I try add the plugin to a new cordova project and build.

cordova create test1 com.rjfun.test1 Test1
cd test1
cordova platform add ios
cordova platform add android
cordova plugin add ~/workspace/cordova-plugins/mopub
rm -r www/*
cp plugins/cordova-plugin-mopub/test/index.html www/
cordova prepare
cordova build android

It starts to build cordova for android, attempt to download the gradle, but failed due to a network error.

Downloading http://services.gradle.org/distributions/gradle-2.13-all.zip
.........................................................................................................................
Exception in thread "main" java.lang.RuntimeException: java.net.SocketException: Connection reset

Gradle downloading is large and slow, and I get the network issue several times before, so I temporarily hold on android build.

Step 4, Try Build iOS App

Now try ios build cordova build ios, the smart tool plugin cordova-plugin-cocoapod-support tells me Cocoapods not installed.

So, I install Cocoapods first: sudo gem install cocoapods, and get a error:

Fetching: activesupport-5.0.0.1.gem (100%)
ERROR:  Error installing cocoapods:
    activesupport requires Ruby version >= 2.2.2.

Now I need upgrade my ruby to 2.2+ first.

After google, I find a good guideline to use RVM to install ruby:
http://stackoverflow.com/questions/33883615/can-i-upgrade-to-the-current-version-of-ruby-2-2-3-on-os-x-v10-6-8

curl -sSL https://get.rvm.io | bash -s stable --ruby
source ~/.rvm/scripts/rvm
rvm use 2.3 --default
ruby --version

sudo gem install cocoapods

cordova build ios

When build for ios, another error popup:

/Users/liming/workspace/cordova-apps/test1/platforms/ios/Test1/Plugins/cordova-plugin-mopub/MoPubPlugin.m:11:9: fatal error: 'MoPub/MoPub.h' file not found
#import <MoPub/MoPub.h>
        ^
1 error generated.

** BUILD FAILED **

I can explain this error. The MoPub.h file is originally in MoPub.framework I built before (using zipped source code of MoPub SDK), now it's not found.

Is the MoPub SDK not install correctly with pod? Let's check it.

When I goto the platforms/ios folder, I cannot find MoPub SDK folder. Is it caused by interrupting of tool missing just now? Not sure. So I remove the test1 folder, and re-create it from scratch.

rm -rf test1
cordova create test1 com.rjfun.test1 Test1
cd test1
cordova platform add ios
cordova plugin add ~/workspace/cordova-plugins/mopub
rm -r www/*; cp plugins/cordova-plugin-mopub/test/index.html www/
cordova prepare

Now the smart pods plugin give following messages:

Searching for new pods
Checking cordova-plugin-extension for pods.
Checking cordova-plugin-mopub for pods.
cordova-plugin-mopub requires pod: mopub-ios-sdk
Checking cordova-plugin-whitelist for pods.
Checking config.xml for pods.
Installing pods
Sit back and relax this could take a while.
Setting up CocoaPods master repo

Then no further message and not exit. I guess it's downloading or doing some other work.

As it's too late today, time to sleep. I will come back tomorrow morning to see what's the result.

--- To Be Continued ---

[floatinghotpot]

Oops, it gives result after a sleep:

... ...
Installing pods
Sit back and relax this could take a while.
Setting up CocoaPods master repo

[!] Unable to add a source with url `https://github.com/CocoaPods/Specs.git` named `master`.
You can try adding it manually in `~/.cocoapods/repos` or via `pod repo add`.

iMac:test1 liming$ pod repo add
[!] Adding a repo needs a `NAME` and a `URL`.

Will continue, when have time.

[raytrask]

Thanks for working it!

Let us know what we can do to speed things up. We have a major release coming out in the next few days.

We are only waiting on the Android version, since the Security from Play store is stopping us from submitting the app with the outdated MoPub SDK. If you could focus on the Android piece first and push to a branch that would be helpful while we wait on the iOS piece.

How is your WIFI connection. A really bad WIFI connection could be causing the issues you are seeing above. May want to try the downloads from a different location.

On the iOS front, maybe this reference would help.
https://code.tutsplus.com/tutorials/managing-private-pods-with-cocoapods--cms-25137

One good thing about this is that after you get this setup once. Future upgrades should go a lot, lot easier.

Once again, thanks for working this and if you want us to do the build and push it. We can help.

[floatinghotpot]

Hi guys, I've just get the android part working and tested on my device.

The changes has been committed to github in af37786, but as the iOS part is not finished, the plugin is not published to npm repo yet.

You can use it from GitHub URL.

I will continue to work on iOS part.

[raytrask]

Thanks!!! We'll let you know how it works out.

[jaanguita]

We will wait for the iOS version too.

Thanks @floatinghotpot !

[VincentPeraud]

Hi @floatinghotpot,

Thanks for your work!

I got the latest version from github but I cannot compile iOS, I got the following error : "MoPub/MoPub.h file not found" in MoPubPlugin.m. I noticed that you added some pods, so I ran pod install and opened the xcworkspace file, but it's still not working.

Do I have to use the github version for Android and the npm version for iOS ?

Thanks,
Vince.

[VincentPeraud]

up

[jaanguita]

@floatinghotpot Any news on the iOS part?

[deangelo200]

Hi did anyone get the plugin to work with android?

[deangelo200]

???

[jaanguita]

@floatinghotpot what about iOS? is it available?

thanks

[hexonaut]

Think I figured out the problem. In plugin.xml there is a typo:

Line 65 <pods-config ios-min-version="9.0" uses-frameworks="true"/>

Should be <pods-config ios-min-version="9.0" use-frameworks="true"/>

uses-framework -> use-framework

[palahoma2016]

how i can update mopub on eclipse to 4.4.0 pleas can you help me to fix that

[hodaifa82]

intel xdk gives me a problem the code contain gradle scripts ???????

[hodaifa82]

@floatinghotpot im building for android
1- when using intel xdk i have this message intel xdk gives me a problem the code contain gradle scripts

2- when using phone gap im getting this message after installing on my phone Error : your mobup intergration is incomplete

[floatinghotpot]

Update:

Here we’ve updated the plugin to use the latest MoPub iOS SDK, via Cocoapod. Of course, tested.
It’s published to npm as:

• cordova-plugin-mopub@2.4.0

Notice:
It may fail if build with Cordova CLI, with error:

ld: warning: directory not found for option '-L/Users/.../Library/Developer/Xcode/DerivedData/TestMoPub-.../Build/Products/Debug-iphonesimulator/mopub-ios-sdk'
ld: library not found for -lmopub-ios-sdk

It’s NOT a real problem.

Just use Xcode to open *.xcworkspace instead of *..xcodeproj. Build the “mopub-ios-sdk” scheme first, then build your cordova app scheme.