This information is intended for developers with app(s) that use a vulnerable version of WebRTC.
What’s happening
One or more of your apps contain a version of WebRTC that contains serious security vulnerabilities. These vulnerabilities can make your app susceptible to remote code execution, and can potentially give an attacker access to your app’s private data.
Fixing this issue is highly recommended, but not mandatory. The publication status of your app will be unaffected by the presence of this issue.
Additional details
These vulnerable versions of WebRTC use usrsctp, a third-party library that is the source of the vulnerabilities, and is no longer used by WebRTC.
Next Steps
1. Update your app and fix the issue using the steps below:
- If your app depends on WebRTC directly,
- If your app depends on WebRTC indirectly through an SDK or third-party library, notify the SDK/library developers and work with them to address this issue.
- Note that pre-built WebRTC binaries have been deprecated for some time. Developers must build from source to get the latest updates.
2. Submit your updated app bundle or APK
To submit an updated app bundle or APK:
- Go to your Play Console.
- Select the app.
- Go to the App bundle explorer.
- Select the non-compliant APK/app bundle's App version at the top right dropdown menu, and make a note of which releases they are under.
- Go to the track with the policy issue. It will be one of these 4 pages: Internal / Closed / Open testing or Production.
- Near the top right of the page, click Create new release. (You may need to click Manage track first.)
- If the release with the non-compliant APK/app bundle is in a draft state, discard the release.
- Add the policy-compliant version of the APK/app bundle.
- Make sure the non-compliant version of the APK/app bundle is under the Not included section of this release. For further guidance, please see the "Not included (app bundles and APKs)" section in this Play Console Help article.
- To save any changes you make to your release, select Save.
- When you've finished preparing your release, select Review release.
- If the non-compliant APK/app bundle is released to multiple tracks, repeat steps 5-9 in each track.
During this time your new app or app update displays an "in review" status until your request is completed. If the app has not been updated correctly, vulnerability notifications will continue to be sent to your Play Console.