How to fix apps with the Vungle vulnerability

This information is intended for developers of apps that utilize any version of the Vungle ad library that precedes 3.3.0. These versions contain a security vulnerability and are in violation of the Dangerous products provision of the Content Policy, and section 4.4 of the Developer Distribution Agreement.

Please migrate your app(s) to Vungle v.3.3.0 or higher as soon as possible and increment the version number of the upgraded APK. Google Play will block publishing of any new apps and updates that use pre-3.3.0 versions of Vungle. If you are using a 3rd party library that includes Vungle, please notify the 3rd party and work with them to address the issue.

The vulnerability can enable attackers to launch a Man-in-the-middle (MITM) attack against user devices by proxying network traffic and injecting a payload extracted by the Vungle app. The vulnerability was addressed in Vungle v3.3.0. To check your Vungle version, you can do a grep search for “VungleDroid/”.

The latest version of Vungle can be downloaded from the Vungle website. For help upgrading, see this Vungle support page. For more information about the vulnerability, please see https://gist.github.com/Fuzion24/6535f8b9dc2a51745173. If you have other technical questions, please post to https://www.stackoverflow.com/questions and use the tags “android-security” and “vungle.”

To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been upgraded correctly, we will display an alert.

Note: while these specific issues may not affect every app that uses Vungle, it’s best to stay up to date on all security patches. Please take this time to update apps that have out-of-date dependent libraries or other vulnerabilities.

Before publishing apps, please ensure they are compliant with the Developer Distribution Agreement and Content Policy. If you feel we have sent you a Vungle vulnerability warning in error, contact our support team through the Google Play Developer Help Center.
Was this article helpful?
How can we improve it?