Question

App rejected by Play Console due to security

  • 21 April 2023
  • 12 replies
  • 1650 views

Badge +3

Hi All,

Trying to publish an app and got the following:

Unsafe Encryption

Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Center article for details.

  • p0.e0.c

Unfortunately got nothing else, no email, so just have to guess what code its refering to. Best guess is the key used to configure revenuecat for in-app purchase.

configuration = PurchaseConfiguration('goog_********************************');

They suggest using Jetpack (https://support.google.com/faqs/answer/9450925)

I am however struggling to implement this in flutter. Does anyone have any example code/articles etc that could help?

I suspect this will impact all apps that use a key within the app like revenuecat.

Thanks


12 replies

 When integrating RevenueCat into an app, developers need to configure a public key that is used to verify purchase receipts from the app store. If this key is not properly configured or uses weak encryption, it could trigger the "Unsafe Encryption" error message.

Badge +3

ok, so that may be the problem…. solution?

So far all I can see is - fixed keys bad … dynamically generate so different each time. 

However this is not in the revenuecat docs as it instructs to use fixed key and paste them into the code!

totally incompatible. 

is there a solution of does using revenuecat mean I cant publish to google????

Badge +1

I get this error in google play too. 

I check my dependencies, other libs are all belongs to google. I think the most likely one which cause this is RevenueCat. (but not confirmed)

I think RevenueCat would self-check the code by the guide. And I will continue to find out which lib exactly cause this. 

I am using RevenueCat  version below

implementation ("com.revenuecat.purchases:purchases:6.1.1")

 

Unsafe Encryption

Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Center article for details.

  • bjqm.c (in dynamically loaded code)
  • bjqm.d (in dynamically loaded code)

Hi,

Did you find a  fix for this unsafe encryption alert in play store app submission . I have the same error on my App Bundle submission.

Hmh I’ve exactly same errors in other project (not using revenuecat).. I wonder which dep pulls out bjqm.* and bpce.*.. This seems to be something new added in Google Plays static analysis as it started to appear with minor change…

https://stackoverflow.com/questions/76101637/your-app-contains-unsafe-cryptographic-encryption-patterns-in-dynamically-loade

Userlevel 5
Badge +9

Hello all,

RevenueCat doesn’t use encryption beyond standard TLS so I don’t think RevenueCat would be causing this. If it is related to Proguard, try adding -keep class com.revenuecat.purchases.** { *; } to your Proguard configuration. If that works, then the issue is probably in Proguard.

@fdx-76333c i submitted another build of my app with no changes, and errors regarding “Implicit Pending Intent” and “Unsafe Encryption” (in dynamically loaded code) disappeared from pre-launch report.

@sharif also just got this error in the console (the app is still in review), seems related to revenuecat.

If they approve I guess it’s fine. If they don’t I’ll try adding proguard rule and resubmit.

 

Userlevel 5
Badge +9

@vishna are you also using Flutter or a different SDK?

Yes, also flutter. Also while the error showed up in the console, there was no implication when it came to approval 🤷‍♂️

Badge +1

I am also getting the same error. I am using the flutter SDK version 4.8.0. I followed the change log for the newer version of SDK. But didn’t find anything related to this issue. 

 

Userlevel 5
Badge +9

@KharelPankaj Thanks for letting us know. I checked with our mobile engineering team and they mentioned that we don’t use any special cryptography in the Flutter SDK. Does it go away when submitting another build of your app?

Reply