This information is intended for developers of apps that are using an unsafe version of Supersonic SDK, an ad platform.
The vulnerability in pre 6.3.5 version of the Supersonic SDK exposes a number of functions through Javascript. As the Javascript files are downloaded over HTTP, they are vulnerable to a man-in-middle attack. Using this, an attacker could potentially delete files from the phone and obtain information such as geolocation, installed apps, etc. The issues have been fixed newer versions of the SDK.
What’s happening
Beginning January 26, 2017, Google Play started to block the publishing of any new apps or updates that use pre 6.3.5 versions of Supersonic. Please refer to the notice on your Play Console. After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
Action required
- Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
- Update your app to use the latest version of Supersonic SDK.
- Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Note that apps must also comply with the Developer Distribution Agreement and Content Policy.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.