androidgoogle-playcrashlyticssecurityexceptionandroid-droidtext

Security Alert: Your app contains embedded private keys or keystore files


I recently got a mail from Google:

**Security Alert: Your app contains embedded private keys or keystore files

This app contains one or more private keys or keystore files embedded in its published apk as listed at the end of this message. These embedded items can be accessed by third parties, which can raise a variety of different security concerns depending on what the key is used for. For example, if the private key is the signing key for your application, a third party could sign and distribute apps that replace your authentic apps or corrupt them. Such a party could also sign and distribute apps under your identity.

As a general security practice, we strongly recommend against embedding private keys and keystore files in apps, even if the keys are password protected or obfuscated. The most effective way to protect your private key and keystore files are not to circulate them. Please remove your private keys and keystore files from your app at your earliest convenience. For more information about keeping your keys secure, please see https://developer.android.com/tools/publishing/app-signing.html.

You have a responsibility as a developer to secure your private key properly, at all times. Please note, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play.

org/bouncycastle/openssl/test/data/rsa/openssl_rsa_unencrypted.pem**

I have checked my APK, I don't have saved any keystore or password in my app. As I don't have any .pem file in the app.

In my app I am using the Crashlytics, droidText.Jar. So, anyone could please how to resolve this error.


Solution

  • The warning is being triggered by the .pem file under the BouncyCastle directory - .pem files are usually exports of private keys, and are effectively a keystore (usually just containing the one private key, but still a form of keystore), hence the Google warning about private keys or keystore files.

    The BouncyCastle stuff is most likely dragged in as a dependency by something else that you are using.

    In all instances where I've encountered this, it's been test data that can be safely deleted.

    You'll need to hunt it down inside your APK and delete it - should be safe enough to delete the entire /test/data path.