This information is intended for developers of apps that have leaked credentials used in urls.
We recommend that you look for any case where you use url-encoded basic access authentication or in other words use urls like https://username:password@www.example.com/. If the credentials are in fact sensitive, you should immediately change them and redesign your app to avoid including them.
For other technical questions, you can post to Stack Overflow and use the tag “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.
Note that apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.