Libpng漏洞

Question

我的应用程序是现场视频流和录音(包括音频和视频)使用wifi。使用下列依赖项：

repositories { maven { url 'https://raw.github.com/iParse/android-library-opencv/master/releases' } }
compile fileTree(include: ['*.jar'], dir: 'libs')
compile project(':main')
compile files('libs/javacpp.jar')
compile files('libs/javacv.jar')
compile 'com.android.support:appcompat-v7:23.2.1'
compile 'com.android.support:design:23.2.1'
compile 'com.iparse.android:opencv:2.4.13.1'
testCompile 'junit:junit:4.12'
compile files('libs/armeabi.jar')

有一次我试图上传到play商店，谷歌因为Libpng漏洞拒绝了我的应用程序，我发现了opencv库版本的问题，所以用它的gradle依赖性替换了opencv jar文件，我从libs/armeabi.jar文件夹中删除了.so文件，然后Google没有显示这个漏洞问题，它被上传到了play商店。下面是我们的应用程序的链接：https://play.google.com/store/apps/details?id=com.steelmanpro.wifivideoscope&hl=en

我从谷歌得到的回应是：

Hello Google Play Developer,

We rejected STEELMAN PRO – Video Scope, with package name com.steelmanpro.wifivideoscope, for violating our Malicious Behavior or User Data policy. If you submitted an update, the previous version of your app is still available on Google Play.

This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.

Vulnerability
APK Version(s)
Libpng library
The vulnerabilities were fixed in libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher. You can find more information about how resolve the issue in this Google Help Center article.

3

To confirm you’ve upgraded correctly, submit the updated version of your app to the Developer Console and check back after five hours to make sure the warning is gone.

While these vulnerabilities may not affect every app that uses this software, it’s best to stay up to date on all security patches. Make sure to update any libraries in your app that have known security issues, even if you're not sure the issues are relevant to your app.

Apps must also comply with the Developer Distribution Agreement and Developer Program Policies.

If you feel we have made this determination in error, please reach out to our developer support team.

Best,

The Google Play Team

但现在这段视频没有录下来。这些是我的应用程序中使用的.so文件：

应用程序中使用的.so文件。

Answer 1

请参考这个答案。

• 将opencv、javaCV、javaCpp和FFMPEG从依赖项更新到最新版本，并且
• 将体系结构指定为"arm“
• 从maven存储库下载所有库的相同版本的android arm.jar文件。
• 解压缩jar并从所有jar库中的libs文件夹复制so文件，粘贴src/main/jnlibs/armeabiv7a下的.so文件。
• 列表项目 还可以在build.gradle中指定ndk文件夹

升级后的等级如下：

dependencies {
    compile fileTree(include: ['*.jar'], dir: 'libs')
    compile group: 'org.bytedeco', name: 'javacv', version: '1.3.1'
    compile group: 'org.bytedeco.javacpp-presets', name: 'opencv', version: '3.1.0-1.3', classifier:    'android-arm'
    compile group: 'org.bytedeco.javacpp-presets', name: 'ffmpeg', version: '3.2.1-1.3', classifier: 'android-arm'
    compile 'com.android.support:appcompat-v7:23.2.1'
    compile 'com.android.support:design:23.2.1'
    testCompile 'junit:junit:4.12'
    compile files('libs/test.jar')
    compile files('libs/zxing.jar')
    compile(name:'FFmpegAndroid', ext:'aar')
    }

Answer 2

我找到解决办法了。FFMPEG和Opencv使用了易受攻击的libpng版本，我们已经将所有共享的对象文件添加为一个分离的jar文件。我们更新了库，并添加了以下依赖项

我将build.gradle文件更新为

dependencies {
    compile fileTree(include: ['*.jar'], dir: 'libs')
    compile group: 'org.bytedeco', name: 'javacv', version: '1.3.1'
    compile group: 'org.bytedeco.javacpp-presets', name: 'opencv', version: '3.1.0-1.3', classifier:    'android-arm'
    compile group: 'org.bytedeco.javacpp-presets', name: 'ffmpeg', version: '3.2.1-1.3', classifier: 'android-arm'
    compile 'com.android.support:appcompat-v7:23.2.1'
    compile 'com.android.support:design:23.2.1'
    testCompile 'junit:junit:4.12'
    compile files('libs/test.jar')
    compile files('libs/zxing.jar')
    compile(name:'FFmpegAndroid', ext:'aar')
    }