search

opentok / opentok-android-sdk-samples

Sample applications illustrating best practices using OpenTok Android SDK.
https://tokbox.com/developer/sdks/android/
MIT License
210 stars 170 forks source link

Vulnerable WebRTC Version #444

Closed dimitar-zabaznoski closed 1 year ago

dimitar-zabaznoski commented 1 year ago

On the Android platform, when submitting a version for review on PlayStore we get a warning about a vulnerable WebRTC version:

Your app uses a bad version of WebRTC, which contains security vulnerabilities.

webrtc

The learn more link: https://support.google.com/faqs/answer/12577537

The latest android Opentok version at the time 2.24.1 seems to use older version of WebRTC 99.2.39 (vs. the latest 108.0.0)

v-kpheng commented 1 year ago

Thanks, @dimitar-zabaznoski, for letting us know about this.

This issue was reported by other users as well: https://jira.vonage.com/browse/OPENTOK-49409.

The warning is misleading, though. The warning is generated using a basic scan of the version of libwebrtc being used. Although we do use that version, we don't use the internal library impacted by the security vulnerability. As a matter of fact, our platform doesn't even support WebRTC Data Channels, which is the attack vector. See also https://tokbox.com/developer/sdks/android/release-notes.html

image

In any case, we'll update to a newer version, but we don't have an ETA for that.