16

This recently popped out pre-launch report, once I published minor update to app.

enter image description here

I've seen also couple of similar recently in other projects, with class names obfuscated in exactly same name (bjqm.* , bpce.*).

I wonder whats causing it (which dep)? Note that it's dynamically loaded code. These classes are nowhere to be seen in "obfuscation mapping.txt", I didn't catch classes either in heap dump. Also I've tried to submit app without obfuscation into internal builds, but these classes are still scrambled / obfuscated in pre-launch report.

It seems Google has updated static analyzers recently as minor change I did in codebase doesn't cause it.

Improve this question
26
  • 1
    I am getting the EXACT same issue, with the EXACT same names bjqm.c and bpce.b... its very strange. Will also do a re-upload and see if it works Commented Apr 26, 2023 at 11:58
  • 1
    I just got this warning even though I didn't have this warning a week ago when I submitted another update. Very similar code, just minor changes. I did update some ad network libraries. Anyone know how I can track which libraries might be causing this? Commented May 8, 2023 at 13:56
  • 1
    Maybe it is com.google.android.gms:play-services-basement dep (it's a subdep of play-services-location, firebase-message & others). It seems to have following fixed in 18.0.2; "The latest updates to the play-services-basement library improve security on signature verification and address the mutable PendingIntent vulnerability.". @Zee if you could try bumping play-services-location to latest (21.0.1). Use “./gradlew app:dependencies” to test you have play-services-basement >= 18.0.2 in project. I upgraded play-services-location from 17.0.0->21.0.1 and basement is now 18.1.0 from 17.0.0 Commented May 11, 2023 at 8:24
  • 1
    @ErkkiNokso-Koivisto if I undo the upgrade, it seems to be depending on basement 18.1.0... so now im not sure. But the error is still now showing in Play :( Commented May 11, 2023 at 12:32
  • 1
    I'm on 18.2.0 for base and 18.1.0 for basement and got the pre launch report error last night. I found out you can upload the bundle and not submit it for review and it still generates the pre launch report so I'm just testing that way. Commented May 11, 2023 at 14:41

4 Answers 4

Reset to default
2

I am having EXACTLY the same issue with completely identical messages, but they seem to appear randomly. I successfully sumbitted the latest version of my app yesterday and it was published to the Store. When I look at that release in the Dashboard this morning, the two errors have been added. The same happened for a previous release. What is going on?

By the way, as a newbie, I wanted to add a comment to the original question, but I'm not allowed to. Apologies if adding an answer isn't correct protocol.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Is this leading to an apk rejection? I only have the pre-launch report so far, nothing else. Edit: to answer my own question, nope, it didn't lead to an apk rejection.
So yesterday I uploaded two bundles but only released one. I just realized the one I never released is the one that triggered the alert, so I don't actually know if that would lead to an apk rejection.
1

I resubmitted another build of app with zero changes, and "Unsafe encryption" and "Implicit Pending Intent" errors are gone :)

Improve this answer

Comments

1

Not sure if it was luck or our action but, using Unity and Easy Save 3 plugin, we suffered this issue. After updating Easy Save 3 plugin to its latest version, Google Play stopped complaining.

Just in case this information is helpful for somebody

Improve this answer

Comments

1

I had the same problem as you bjqm.c, bjqm.d, bpce.b

after that I changed SharedPreference to EncrytedSharedPreference and submitted an update. And all warnings are gone.

EncryptedSharedPreference Google doc

if you use SharedPreference, you can try this. good luck

Improve this answer

2 Comments

Were you doing some encryption stuff with SharedPreference or do you think the library was doing something?
Previously I used SharedPreference and no encryption. After that I encrypted the SharedPreference using EncryptedSharedPreference and all warnings went away. I just followed the recommendations in the google docs for warnings.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.