How to fix apps with bad WebRTC versions

This information is intended for developers with app(s) that use a vulnerable version of WebRTC. 

What’s happening

One or more of your apps contain a version of WebRTC that contains serious security vulnerabilities. These vulnerabilities can make your app susceptible to remote code execution, and can potentially give an attacker access to your app’s private data.

Fixing this issue is highly recommended, but not mandatory. The publication status of your app will be unaffected by the presence of this issue.

Additional details

These vulnerable versions of WebRTC use usrsctp, a third-party library that is the source of the vulnerabilities, and is no longer used by WebRTC.

Next Steps 

1. Update your app and fix the issue using the steps below:

  • If your app depends on WebRTC directly, 
    • Follow the instructions under the heading “Updating the Code” here.
      • Information on the WebRTC build process for Android is available here.
    • It is strongly recommended that apps update to the current source, though updating to M102 or later will remediate the security issue.
  • If your app depends on WebRTC indirectly through an SDK or third-party library, notify the SDK/library developers and work with them to address this issue.
  • Note that pre-built WebRTC binaries have been deprecated for some time. Developers must build from source to get the latest updates.

2. Submit your updated app bundle or APK

To submit an updated app bundle or APK:

  1. Go to your Play Console.
  2. Select the app.
  3. Go to the App bundle explorer.
  4. Select the non-compliant APK/app bundle's App version at the top right dropdown menu, and make a note of which releases they are under.
  5. Go to the track with the policy issue. It will be one of these 4 pages: Internal / Closed / Open testing or Production.
  6. Near the top right of the page, click Create new release. (You may need to click Manage track first.)
  7. If the release with the non-compliant APK/app bundle is in a draft state, discard the release.
  8. Add the policy-compliant version of the APK/app bundle.
  9. Make sure the non-compliant version of the APK/app bundle is under the Not included section of this release. For further guidance, please see the "Not included (app bundles and APKs)" section in this Play Console Help article.
  10. To save any changes you make to your release, select Save.
  11. When you've finished preparing your release, select Review release.
  12. If the non-compliant APK/app bundle is released to multiple tracks, repeat steps 5-9 in each track.

During this time your new app or app update displays an "in review" status until your request is completed. If the app has not been updated correctly, vulnerability notifications will continue to be sent to your Play Console. 

We’re here to help

If there are technical questions about the vulnerability, post to Stack Overflow and use the tag “android-security.” For clarification on steps needed to resolve this issue, please contact the support team.

Was this helpful?

How can we improve it?
Google apps
Main menu
Search Help Center