Google Play store certification has exposed a security vulnerability in VisualOns implementation of the interface X509TrustManager which requires an update to the latest revision of Divitel MediaPlayer (OSMP+) v3.17, v3.18, v3.19 and v3.20 release.
What does this mean?
Due to this vulnerability an attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. This is possible because the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host.
This security vulnerability will result in Google Play store certification failure for planned applications or updates to existing applications. You will need to obtain the updated OSMP+ SDK prior to submitting your application for certification. Please find Google’s statement about this unsafe x509TrustManager here.
Existing applications already hosted on the Google Play store are not impacted by the new certification check. Updates can be scheduled at your convenience.
What is the solution?
The required code change was implemented and checked in Divitel MediaPlayer OSMP+ v3.17, v3.18, v3.19 and v3.20 release streams over a week ago. The OSMP+ v3.16 is not impacted by this issue.
If you are using one of the following OSMP+ versions with a lower build version then listed below, then you need to update your SDK.
Release versions with revision build:
- For 3.17, it has been checked in, Revision 92682
- For 3.18, it has been checked in, Revision 92789
- For 3.19, it has been checked in, Revision 92790
- For 3.20, it has been checked in, Revision 92802
If you want to receive the updated build of your OSMP+ version, please send us an e-mail with the current version you are using and we send the new build to you.
Please feel free to contact your Divitel representative for clarification or additional questions.
Support: +31 (0)55 750 48 88
Reception: +31 (0)55 576 02 42
Found useful information in this article?