Your app contains unsafe cryptographic encryption patterns (in dynamically loaded code)

Asked 25/4, 2023 at 13:20 Answered 24/5, 2023 at 15:37

This recently popped out pre-launch report, once I published minor update to app.

I've seen also couple of similar recently in other projects, with class names obfuscated in exactly same name (bjqm.* , bpce.*).

I wonder whats causing it (which dep)? Note that it's dynamically loaded code. These classes are nowhere to be seen in "obfuscation mapping.txt", I didn't catch classes either in heap dump. Also I've tried to submit app without obfuscation into internal builds, but these classes are still scrambled / obfuscated in pre-launch report.

It seems Google has updated static analyzers recently as minor change I did in codebase doesn't cause it.

Hausmann answered 25/4, 2023 at 13:20 Comment(26)

#erkki Nokso-Koivisto As far as PendingIntent issue is concerned. _Activity_Recognition_Flutter has this PendingIntent pendingIntent Otherwise, in my project I don't see any direct ref in any of the package this Unsafe Encryption , relating public-key encryption requirement – Najera 25/4, 2023 at 17:50

Thanks, but it's not Flutter dependency in my case (PendingIntents are quite popular in 3rd party SDKs). I'm looking at exactly same classnames reported under RevenueCat, and user fdx-76333c claiming having Google deps only.. so could this be due outdated Google dep (firebase-x, play-services-x.. ).. – Hausmann 25/4, 2023 at 18:16

I am getting the EXACT same issue, with the EXACT same names bjqm.c and bpce.b... its very strange. Will also do a re-upload and see if it works – Antipyretic 26/4, 2023 at 11:58

I am getting exact issue too with same classes have you found any clue ? – Maladjusted 27/4, 2023 at 8:29

@radwa did you try resubmitting the app, which fixed it for me? – Hausmann 27/4, 2023 at 9:45

I did actually I am wafting for PLR right now , but you know if it doesn't appear now it might pop up next time , I was asking if its just an issue resolved by google it is really a security error we need to resolve. – Maladjusted 27/4, 2023 at 11:4

I have exactly the same issue and same file name, no ads in my app, i updated Android libraries but no idea why is this happening. I tried to re submit again and i still have the same issue – Chart 5/5, 2023 at 20:28

I just got this warning even though I didn't have this warning a week ago when I submitted another update. Very similar code, just minor changes. I did update some ad network libraries. Anyone know how I can track which libraries might be causing this? – Pleo 8/5, 2023 at 13:56

I resubmitted and still get the same issue. I do not use Flutter (just plain old android studio project). I do use some c++ libs. No ads. I am getting it in two projects, they have the following gradle libs in common: ML text recognition, camera2, play-services-location, core-splashscreen, about libs (and some others). Also would like to know how to track down offending lib – Antipyretic 10/5, 2023 at 7:45

Maybe it is com.google.android.gms:play-services-basement dep (it's a subdep of play-services-location, firebase-message & others). It seems to have following fixed in 18.0.2; "The latest updates to the play-services-basement library improve security on signature verification and address the mutable PendingIntent vulnerability.". @Antipyretic if you could try bumping play-services-location to latest (21.0.1). Use “./gradlew app:dependencies” to test you have play-services-basement >= 18.0.2 in project. I upgraded play-services-location from 17.0.0->21.0.1 and basement is now 18.1.0 from 17.0.0 – Hausmann 11/5, 2023 at 8:24

@ErkkiNokso-Koivisto It seems that the location was already on the latest, but the ML text recognition was not - I updated all my gradle libs then ensure basement was 18 as you suggested. It SEEMS to have worked. You should really add it as an answer and maybe claim that sweet bounty. – Antipyretic 11/5, 2023 at 12:7

@zee nice if it worked, was ML text really depending on old version of play-services-basement or was it some of your other google deps? – Hausmann 11/5, 2023 at 12:17

@ErkkiNokso-Koivisto if I undo the upgrade, it seems to be depending on basement 18.1.0... so now im not sure. But the error is still now showing in Play :( – Antipyretic 11/5, 2023 at 12:32

I'm on 18.2.0 for base and 18.1.0 for basement and got the pre launch report error last night. I found out you can upload the bundle and not submit it for review and it still generates the pre launch report so I'm just testing that way. – Pleo 11/5, 2023 at 14:41

Does anyone know if the APK will be accepted or rejected with this issue? So far I've only sent for review APKs that didn't have this issue on the pre launch report. – Pleo 11/5, 2023 at 18:24

That github.com/h0rd7/PendingIntentScan tool somebody was proposing (but deleted the answer) could lead to correct direction.. it's discovering pending intent vulnerabitly in app pointing in gms.GoogleApiAvailabilityLight regardless play-services-basement is updated to 18.1.0. Maybe once that is resolved (by upgrading deps, compilesdk or what ever) the other issues gets fixed as well. – Hausmann 12/5, 2023 at 15:27

I submitted an update with basement 18.2.0 and it went through without triggering that pre-launch issue, however I had other bundles go through in the past so I don't know for sure that the issue was addressed. – Pleo 12/5, 2023 at 15:34

interesting, looking at mvnrepository there are no known vulnerabilities since v18.0.1 of play-services-basement – Hausmann 12/5, 2023 at 17:41

Just tried another update with 18.2.0 and it got the pre-launch issue. – Pleo 12/5, 2023 at 21:9

haven't got the error in PLR since resubmitting the app (with zero changes).. I wonder could it have been just false warning on Google side and then somebody "white listing" the app (haven't yet got confirmation). I was asking about exactly same error in Github, and it seemed to relate "unsafe" use of AES. Maybe one could verify not having KEY or IV hard coded in codebase or use of AES-ECB. support.google.com/faqs/answer/9450925 – Hausmann 14/5, 2023 at 19:39

Have you submitted multiple times? For me it happens every other bundle upload. I upload, wait for the report to be done, if it gives the errors then I make a new build with a new version code, upload again and it doesn't give me the error. – Pleo 15/5, 2023 at 16:10

I've submitted 5 builds, 2 first had this issue in PLR. Could it depend on which datacenter build ends up for analysis :) – Hausmann 15/5, 2023 at 16:45

Answer from Google Play support: "I see your app was resubmitted earlier and has been approved. Please note: in some instances, the warning may continue to be displayed after the review has been completed. If you successfully resolved the issue, no further action is required and you DO NOT need to contact us about this warning." – Hausmann 18/5, 2023 at 9:22

@ErkkiNokso-Koivisto so did you have an apk rejection because of this issue? Or just a warning on the pre-launch report? – Pleo 18/5, 2023 at 14:21

@Pleo didn't submit builds with PLR issue further than internal track – Hausmann 20/5, 2023 at 7:28

I think they might have fixed it. I've uploaded 3 bundles and none of them got this issue on the pre launch report. – Pleo 5/6, 2023 at 17:2

I am having EXACTLY the same issue with completely identical messages, but they seem to appear randomly. I successfully sumbitted the latest version of my app yesterday and it was published to the Store. When I look at that release in the Dashboard this morning, the two errors have been added. The same happened for a previous release. What is going on?

By the way, as a newbie, I wanted to add a comment to the original question, but I'm not allowed to. Apologies if adding an answer isn't correct protocol.

Hindemith answered 5/5, 2023 at 10:14 Comment(2)

Is this leading to an apk rejection? I only have the pre-launch report so far, nothing else. Edit: to answer my own question, nope, it didn't lead to an apk rejection. – Pleo 8/5, 2023 at 14:27

So yesterday I uploaded two bundles but only released one. I just realized the one I never released is the one that triggered the alert, so I don't actually know if that would lead to an apk rejection. – Pleo 10/5, 2023 at 0:18

I resubmitted another build of app with zero changes, and "Unsafe encryption" and "Implicit Pending Intent" errors are gone :)

Hausmann answered 25/4, 2023 at 20:21 Comment(0)

Not sure if it was luck or our action but, using Unity and Easy Save 3 plugin, we suffered this issue. After updating Easy Save 3 plugin to its latest version, Google Play stopped complaining.

Just in case this information is helpful for somebody

Brinkema answered 16/5, 2023 at 8:49 Comment(0)

I had the same problem as you bjqm.c, bjqm.d, bpce.b

after that I changed SharedPreference to EncrytedSharedPreference and submitted an update. And all warnings are gone.

EncryptedSharedPreference Google doc

if you use SharedPreference, you can try this. good luck

Inculpable answered 24/5, 2023 at 15:37 Comment(2)

Were you doing some encryption stuff with SharedPreference or do you think the library was doing something? – Pleo 24/5, 2023 at 20:40

Previously I used SharedPreference and no encryption. After that I encrypted the SharedPreference using EncryptedSharedPreference and all warnings went away. I just followed the recommendations in the google docs for warnings. – Inculpable 25/5, 2023 at 4:49

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags