Open nthchild1 opened 4 years ago
We are also experiencing this same issue. We have received the following email from google:
Hello Google Play Developer,
We reviewed [appname], with package name [package], and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user’s device, and may be considered to be in violation of our Malicious Behavior policy.
Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK.
Vulnerability APK Version(s) Deadline to fix HostnameVerifier Your app(s) are using an unsafe implementation of the HostnameVerifier interface. You can find more information about how resolve the issue in this Google Help Center article.
1603278811 December 10, 2020 Vulnerability APK Version(s) Deadline to fix To confirm you’ve upgraded correctly, submit the updated version of your app to the Play Console and check back after five hours. We’ll show a warning message if the app hasn’t been updated correctly.
While these vulnerabilities may not affect every app, it’s best to stay up to date on all security patches.
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.
This library is no longer actively maintained: #666
We got a mail from Google telling us this:
We also got a link with details about this vulnerability. We tracked it down to rn-fetch-blob files
RNFetchBlobUtils.java
andRNFetchBlobReq.java
.There's a pull request open that might address this issue regarding
RNFetchBlobReq.java
, but X509TrustManager would still be used inRNFetchBlobUtils.java
.