How to fix apps containing Vpon SDK Vulnerability

This information is intended for developers of apps that utilize any version of Vpod SDK ad platform, that precedes v4.5.1. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.

Please migrate your app(s) to Vpon v4.5.1 or higher or higher as soon as possible and increment the version number of the upgraded APK. Beginning Sep 17, 2016, Google Play will block publishing of any new apps or updates that use pre-4.5.1 versions of Vpon SDK. Your published app version will remain unaffected, however any updates to the app will be blocked unless they address this vulnerability.

Next steps

  1. Download the latest version of Vpon from the Vpon website.
  2. Contact bd@vpon.com if you need help upgrading.
  3. Sign in to your Developer Console and submit the updated version of your app.
  4. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly. Note that some processing delays are common even if your app has fixed the vulnerability.

If you’re using a 3rd party library that bundles Vpon, you’ll need to upgrade it to a version that bundles Vpon 4.5.1 or higher. 

The vulnerability is due to permissive WebView settings that do not explicitly call setAllowFileAccess(false) on old versions of Android. An attacker may exploit this vulnerability by serving a malicious JavaScript code in an advertising creative, making it possible to access local resources on the devices.

For other technical questions, you can post to Stack Overflow and use the tags “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.

While these specific issues may not affect every app that uses Vpon SDK, it’s best to stay up to date on all security patches. Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel we have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.

Was this helpful?
How can we improve it?