How to address MoPub vulnerabilities in your apps
This information is intended for developers of apps that utilize any version of MoPub, an ad platform, that precedes 4.4.0. These versions contain a security vulnerability.Please migrate your app(s) to MoPub v4.4.0 or higher as soon as possible and increment the version number of the upgraded APK.
Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of MoPub. Please refer to the notice on your Play Console. After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
- Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
- Update your affected apps and fix the vulnerability.
- Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Download the latest version of Mopub here. Contact firstname.lastname@example.org if you need help upgrading. If you’re using a 3rd party library that bundles MoPub, you’ll need to upgrade it to a version that bundles MoPub 4.4.0 or higher.
To confirm the version number if you're building using the Jcenter AAR, you can check your Gradle config and make sure it points to 4.4.0. To confirm the version number if you're building directly from source or not using Gradle, you can check com.mopub.common.MoPub.java for SDK_VERSION.
While these specific issues may not affect every app that uses MoPub, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.