We’ve had a few questions come in today about a payload injection vulnerability in some older versions of our Android SDKs. While this vulnerability has been resolved since January, Google has started warning owners of applications that have not yet upgraded their Vungle Android SDK. Here’s the message that some of our publishers have been seeing:
“Your application utilizes a version of the Vungle ad library containing a security vulnerability. The vulnerability can enable attackers to launch a successful man-in-the-middle attack against user devices by proxying network traffic and injecting a payload extracted by the Vungle app.
The vulnerability was addressed in Vungle v3.3.0. Please upgrade to Vungle v3.3.0 or higher as soon as possible. To check your Vungle version, you can do a grep search for “VungleDroid/”. For more information about the vulnerability, please see https://gist.github.com/Fuzion24/6535f8b9dc2a51745173.
The latest version of Vungle can be downloaded from the Vungle Dashboard. For help upgrading, see the Get Started with Vungle - Android SDK guide. For other technical questions, please use https://www.stackoverflow.com/questions.
To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours.
Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered dangerous production violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.
Before publishing applications, please ensure your apps' compliance with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, visit this Google Play Help Center article.”
First and foremost, this warning is accurate. Some older versions of our SDK were susceptible to man-in-the-middle attacks should either a physical device or data network be compromised. We were alerted of this vulnerability by Fuzion24 and quickly released a fix in our next Android SDK release. Any app using the latest Vungle Android SDK available is not affected by vulnerability, but if you are seeing these messages, we, along with Google, strongly recommend that you update as soon as possible.
If you aren’t sure whether your version of the Vungle Android SDK is affected by this vulnerability, you can find out by referencing the SDK’s VERSION property :
Android Versions 3.3.0 and above are not affected, but older versions should be updated to our latest release, available on the Vungle Dashboard.
We are always working to improve our SDKs, especially when user or application security is involved, and this is no exception! If you have any specific questions around this vulnerability or the steps required to update the Vungle SDK in your application, please feel free to reach out to us at firstname.lastname@example.org.