How to address MoPub vulnerabilities in your apps

This information is intended for developers of apps that utilize any version of MoPub, an ad platform, that precedes 4.4.0. These versions contain a security vulnerability.

Please migrate your app(s) to MoPub v4.4.0 or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of MoPub. Your published APK version will remain unaffected, however any updates to the app will be blocked unless you address this vulnerability.

Next steps:

  1. Download the latest version of Mopub here.
  2. Contact if you need help upgrading. 
  3. Sign in to your Developer Console and submit the updated version of your app.
  4. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly. 

If you’re using a 3rd party library that bundles MoPub, you’ll need to upgrade it to a version that bundles MoPub 4.4.0 or higher.

The vulnerability is due to unsanitized default WebView settings. An attacker may exploit this vulnerability by serving a malicious JavaScript code in an advertising creative, making it possible to infer the existences of privacy-sensitive local resources on the devices. For Android devices with the prior versions of API 16, the attacker can even access local resources. For other technical questions, you can post to Stack Overflow and use the tags “android-security”.

To confirm the version number if you're building using the Jcenter AAR, you can check your Gradle config and make sure it points to 4.4.0. To confirm the version number if you're building directly from source or not using Gradle, you can check for SDK_VERSION.

While these specific issues may not affect every app that uses MoPub, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Developer Program Policies. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

Was this article helpful?
How can we improve it?