Seeing If Your App Has the Play Core Vulnerability
A blog post from CheckPoint has triggered a bunch of media reports about apps still being affected by a months-old massive bug in the Play Core library. Apps need to use an updated version of that library to help mitigate the bug, and apparently ~8% of apps do not.
The bug is bad: a remote code execution (RCE) flaw in a privileged process — basically, attackers can do nearly anything they want. Fixing the library presumably is to help with devices where Play Services itself is out of date, as the real problem is not going to be in the apps.
The library in question is
com.google.android.play:core. According to NIST,
the problem is in versions 1.3.6 through 1.7.1. Google, in
the 1.7.2 release notes,
is more general and says that anyone using “a lower version” should upgrade at least to 1.7.2.
However, bear in mind that you might not be using this library directly. Other
Google libraries, such as
androidx.navigation:navigation-dynamic-features-runtime, pull in the Play Core
library via transitive dependencies. So too do third-party libraries,
particularly those centered around in-app updates.
A reasonably quick way to see if your app is affected, directly or indirectly, is by running a Gradle dependency report and searching for the Play Core library. From within Android Studio, you can do this by:
- Opening the Gradle tool (typically docked on the right)
- For each of your modules, go into Tasks >
helpin the tree, and run the
dependenciestask by double-clicking on it
Or, you can run the report from the command line (e.g.,
Then, search the output for
com.google.android.play:core, as the report shows
all configurations and all transitive dependencies. In Android Studio, Ctrl-F (or the
macOS equivalent) will bring up a search field in the report output pane. At
the command line, you can throw a
fgrep at the problem:
./gradlew app:dependencies | fgrep "com.google.android.play:core"
If your search comes up empty, you are fine
If your search comes up with a hit, but the version of the library is 1.7.2 or newer, you are fine
If your search comes up with a hit for an older version, you have a problem
If you have a problem, you can work your way up the tree to determine which root
dependency — one that should appear in your module’s
build.gradle file —
is pulling in Play Core via transitive dependencies. Or, perhaps you are pulling it in directly.
Find whatever dependency is the culprit and try upgrading to the latest version
of that dependency, then re-run this test and see if you are no longer affected by
the Play Core bug.
You may find that even the latest version of the root dependency still pulls in a flawed Play Core edition. For example, A3InAppUpdater seems to use older Play Core versions even for its latest (1.2.1) version… in part because the library has not been updated in a year. For these cases, you have two main options that I can think of (as I race to get this post out):
Put your own dependency in
build.gradleon Play Core for a known-good version. From a compatibility standpoint, you might go with
com.google.android.play:core:1.7.2. As I write this, the now-current version is
com.google.android.play:core:1.9.0. If you have your own dependency on Play Core, Gradle should resolve those and pick the newer one. However, the library may be dependent on stuff that is only in the older library, so you would need to test thoroughly.
Stop using the flawed root dependency entirely, until you are in position to switch to some safer alternative.