Security update on Mobilisten(Mobile SDK) - Android users

Greetings from the SalesIQ team,

We sensed a possibility of a vulnerability that might occur in your app if you use Mobilisten-Android SDK. Read this post to check if it applies to you and how you can prevent this issue.

Whom can it affect?

The applicability of this security vulnerability remains limited only to android apps and depends on how the application's maven source-repository list for dependencies is configured. The security vulnerability does not apply to all apps and we would like you to ensure that your apps are not vulnerable to the risk.

Cause and effect:

The applicability of the security risk in your android application depends on the following factors:

mavenCentral is not set as the source repository with the highest priority by order within the build.gradle/settings.gradle file. And use the JitPack maven repository to resolve a compromised version of a dependency.
Your application uses the `com.nostra13.universalimageloader:universal-image-loader` package as a dependency. Mobilisten uses the package as an internal dependency.

Suppose a vulnerable app uses JitPack as a higher priority source repository for resolving the application's dependencies. In such a configuration, the dependency can resolve using JitPack downloads a compromised version of the `universal-image-loader` package leading to the risk.

If your application does not meet the above criteria, then you are not vulnerable to the risk, and no action is required on your behalf.

However, if your application meets the above criteria, please find the steps to mitigate the risk below.

Mitigation:

Re-order your dependency source-repositories list so mavenCentral has the {{highest/top}} priority among the repositories used to resolve your application's dependencies. If your application uses the Jitpack repository to resolve any of the application's dependencies, consider setting a lower priority or having the JitPack repository towards the end in comparison with mavenCentral results in negating the risk.

Additionally, we have removed the dependency over the `universal-image-loader` package in Mobilisten, rendering the specific vulnerability disabled. We have released version 4.2.8 of the Mobilisten library for Android, which contains this change. You may upgrade Mobilisten to this version to mitigate the risk further.

If you have any questions, please write to us at support@zohosalesiq.com

Regards,

Team Zoho SalesIQ.