How to fix apps with the Portable SDK for UPnP library vulnerabilities

This information is intended for developers of apps that utilize any version of the Portable SDK for UPnP Devices, a.k.a, libupnp, that precedes 1.6.18. Libupnp is a library used to play media files or connect to other devices within a user’s network.Please migrate your app(s) to use libupnp v1.6.18 or higher as soon as possible and increment the version number of the upgraded APK.

What’s happening

Beginning May 9, 2016, Google Play started to  block the publishing of any new apps or updates that use pre-1.6.18 versions of libupnp. Please refer to the notice on your Play ConsoleAfter the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.

Action required​

  1. Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
  2. Update your affected apps and fix the vulnerability.
  3. Submit the updated versions of your affected apps.

Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.

Additional details

The vulnerability was addressed in libupnp 1.6.18. The latest versions of the libupnp SDK can be downloaded on the libupnp site. For help upgrading, see the libupnp support page. If you’re using a 3rd party library that bundles libupnp, you’ll need to upgrade it to a version that bundles libupnp 1.6.18 or later.

Affected versions of lipupnp contain stack buffer overflow vulnerabilities, which could enable attackers to run arbitrary code on an affected device. For more information about the vulnerability, please see this TrendMicro blog post. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “libupnp.”

While these specific issues may not affect every app that uses libupnp, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Content Policy

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Was this helpful?
How can we improve it?