Google Play store Security alert

[emmanuelfrancis]

I have used latest module 5.20.0 and uploaded app to Google play store and I get below security error:

It seems that the fix described here https://help.pushwoosh.com/hc/en-us/articles/360033241611-Fixing-a-Zip-Path-Traversal-Vulnerability- is not updated to appcelerator module.

Security alert Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see this Google Help Centre article to find out how to fix the issue. Vulnerable locations: com.pushwoosh.inapp.ZipDownloader.unzip com.pushwoosh.internal.utils.d.a Affects APK versions 22 and 8.

Would replacing pushwoosh-location_v5.21.4 with pushwoosh-location_v5.22.6.aar will work?

[wfhm]

Hello @emmanuelfrancis,

Would replacing pushwoosh-location_v5.21.4 with pushwoosh-location_v5.22.6.aar will work?

The issue is not in the location module but in the main Pushwoosh SDK module, so it will not help.

This is actually weird, as the fix was applied in 5.14.1 version of native SDK, and the latest Titanium module uses the 5.21.4 version. I've checked the source code and the fix is still there. Moreover, there is no such class as ZipDownloader in the com.pushwoosh.inapp package, neither in the latest versions or in 5.14.1 or earlier. Could you please send us a reproducer APK via the Contact us form with the link to this issue so we could investigate the issue further?

I look forward to hearing from you.

Kind regards, Vitaly Romanychev Pushwoosh Team

[emmanuelfrancis]

Thank you for your reply. I have again created a new build and uploaded to Play store now its fine, looks like the previous build was using older version of module.