Seeing If Your App Has the Play Core Vulnerability

A blog post from CheckPoint has triggered a bunch of media reports about apps still being affected by a months-old massive bug in the Play Core library. Apps need to use an updated version of that library to help mitigate the bug, and apparently ~8% of apps do not.

The bug is bad: a remote code execution (RCE) flaw in a privileged process — basically, attackers can do nearly anything they want. Fixing the library presumably is to help with devices where Play Services itself is out of date, as the real problem is not going to be in the apps.

The library in question is com.google.android.play:core. According to NIST, the problem is in versions 1.3.6 through 1.7.1. Google, in the 1.7.2 release notes, is more general and says that anyone using “a lower version” should upgrade at least to 1.7.2.

However, bear in mind that you might not be using this library directly. Other Google libraries, such as com.google.android.play:core-ktx and androidx.navigation:navigation-dynamic-features-runtime, pull in the Play Core library via transitive dependencies. So too do third-party libraries, particularly those centered around in-app updates.

A reasonably quick way to see if your app is affected, directly or indirectly, is by running a Gradle dependency report and searching for the Play Core library. From within Android Studio, you can do this by:

• Opening the Gradle tool (typically docked on the right)
• For each of your modules, go into Tasks > help in the tree, and run the dependencies task by double-clicking on it

Or, you can run the report from the command line (e.g., ./gradlew app:dependencies).

Then, search the output for com.google.android.play:core, as the report shows all configurations and all transitive dependencies. In Android Studio, Ctrl-F (or the macOS equivalent) will bring up a search field in the report output pane. At the command line, you can throw a grep or fgrep at the problem:

./gradlew app:dependencies | fgrep "com.google.android.play:core"

Then:

• If your search comes up empty, you are fine

• If your search comes up with a hit, but the version of the library is 1.7.2 or newer, you are fine

• If your search comes up with a hit for an older version, you have a problem

If you have a problem, you can work your way up the tree to determine which root dependency — one that should appear in your module’s build.gradle file — is pulling in Play Core via transitive dependencies. Or, perhaps you are pulling it in directly. Find whatever dependency is the culprit and try upgrading to the latest version of that dependency, then re-run this test and see if you are no longer affected by the Play Core bug.

You may find that even the latest version of the root dependency still pulls in a flawed Play Core edition. For example, A3InAppUpdater seems to use older Play Core versions even for its latest (1.2.1) version… in part because the library has not been updated in a year. For these cases, you have two main options that I can think of (as I race to get this post out):

1. Put your own dependency in build.gradle on Play Core for a known-good version. From a compatibility standpoint, you might go with com.google.android.play:core:1.7.2. As I write this, the now-current version is com.google.android.play:core:1.9.0. If you have your own dependency on Play Core, Gradle should resolve those and pick the newer one. However, the library may be dependent on stuff that is only in the older library, so you would need to test thoroughly.

2. Stop using the flawed root dependency entirely, until you are in position to switch to some safer alternative.