Headline
CVE-2020-8913: Google Play Core libraries release notes | Android Developers
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android’s Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application’s data on the Android device. We recommend all users update Play Core to version 1.7.2 or later.
- Platform
- Android Studio
- Google Play
- Jetpack
- Kotlin
- Docs
- Overview
- Guides
- Reference
- Samples
- Design & Quality
- Games
Stay organized with collections Save and categorize content based on your preferences.
This page explains what’s included in the recent updates to the Google Play Core libraries.
Migrate to the new Play libraries (April 2022)
The Google Play Core Java and Kotlin library have been split into multiple separate libraries, one for each feature. Please update to following new libraries to benefit from new product additions:
- Play Asset Delivery Library
- Play Feature Delivery Library
- Play In-App Reviews Library
- Play In-App Updates Library
See migration guide for more information.
The monolithic library will not receive future updates or bug fixes.
1.10.3 (January 2022)
Bug fixes
- Play Feature Delivery: Fixed a crash at startup time affecting certain devices.
- Play Asset Delivery: Fixed a race condition that could rarely cause asset pack installation to fail with the error code -100.
1.10.2 (September 2021)
Bug fixes
- Play Asset Delivery: Fixed an issue that could cause an ANR in certain edge cases during the installation of asset packs.
- Play Asset Delivery: Fixed an issue that could cause the installation of fast-follow packs to fail.
- General infrastructure fix that reduces number of internal errors for all APIs.
1.10.1 (September 2021)
Behavior changes
- Increased Android minimum SDK version to 14 (Ice Cream Sandwich).
Bug fixes
- Stability fixes to Play Feature Delivery (deferred uninstall and split emulation), In App Updates (improved input parameter validation) and general library infrastructure (handle corner-cases when the Play Store disabled or not running).
- Introduced a dedicated ReviewException in the In App Review API.
- Strengthened security of Play Feature Delivery split emulation.
1.10.0 (February 2021)
New features
- Play Core Native SDK: Supports In-App Updates
Behavior changes
- ReviewManager.requestReviewFlow() now provides a ReviewErrorCode.PLAY_STORE_NOT_FOUND error to indicate that the Play Store app is either not installed or not the official version.
1.9.1 (January 2021)
Bug fixes
- Bug fixes for Play Asset Delivery and Play Feature Delivery.
1.9.0 (December 2020)
New features
- Play Feature Delivery now provides a new user confirmation that enables feature delivery for users who installed your app from a different source than the Play Store.
- Previously this would result in an APP_NOT_OWNED error.
- Now, startInstall() returns a REQUIRES_USER_CONFIRMATION status for users who haven’t installed the app from Play. After user acceptance, the download will proceed as normal.
- If your app already handles the REQUIRES_USER_CONFIRMATION status, there are no code changes required to benefit from this feature.
Bug fixes
- Bug fixes for Play Asset Delivery.
1.8.3 (October 2020)
Behavior changes
- Deprecated MissingSplitsManager. The feature is now obsolete. Incomplete installs with missing split APKs will fail on devices where Google Play Protect is active and on all devices running Android 10 or above.
Bug fixes
- Fixed Play Asset Delivery patching bug affecting asset packs using texture compression format targeting.
1.8.2 (September 2020)
Bug fixes
- Fixed UI flickering in the In-App Review API.
- Minor bug fixes for other APIs.
1.8.1 (August 2020)
com.google.android.play:core-ktx bugfix release only.
Bug fixes
- Fixes an issue where including the Play Core KTX library adds unnecessary permissions to the app project.
1.8.0 (July 2020)
New features
- Adds support for In-App Reviews.
- Kotlin extensions:
- New In-App Reviews extension.
- Play Core Native SDK:
- Supports In-App Reviews.
Behavior changes
- Play Asset Delivery, In-App Updates, and Play Feature Delivery now return a specific APP_NOT_OWNED error if the user hasn’t acquired the app via Play. This error used to be surfaced as API_NOT_AVAILABLE: the latter is still used for other cases when the API is not available (such as when the device is not supported).
- Bugfixes in Play Asset Delivery that improve the stability and performance of app updates with asset packs.
- Play Core KTX no longer incorrectly exposes the ExperimentalCoroutinesApi annotation on its extension functions.
Known issues
- The Play Core KTX artifact (com.google.android.play:core-ktx) incorrectly specifies its minSdkVersion, resulting in unnecessary permissions being added to the app project. Please use the 1.8.1 bugfix release of the KTX library.
1.7.3 (May 2020)
New features
- Added AppUpdateOptions.setAllowClearStorage(boolean), an option to allow the In-App Updates API to delete Asset Packs if the device has insufficient storage for the update.
Behavior changes
- Play Feature Delivery: Deprecated direct creation of FakeSplitInstallManager. Use FakeSplitInstallManagerFactory instead to create FakeSplitInstallManager.
- In-App Updates: Deprecated InstallErrorCode.NO_ERROR_PARTIALLY_ALLOWED. The API now returns InstallErrorCode.NO_ERROR for this case.
- Bugfixes in SplitCompat and the local testing mode for Play Asset Delivery.
1.7.2 (March 2020)
Behavior changes
- Fixed a path traversal security vulnerability in Split Install API (CVE-2020-8913) and other general bugfixes. If you are using a lower version, please update to this version.
1.7.1 (March 2020)
New features
- Play Core Native SDK:
- Supports Play Asset Delivery.
Behavior changes
- Fixed a permission bug in the Play Asset Delivery API. If you are using 1.7.0, please update to this version.
1.7.0 (March 2020)
New features
- Adds support for Play Asset Delivery.
- Kotlin extensions:
- New Play Asset Delivery extension.
- Added support for new signals (update priority, app staleness, download progress) in the In-App Updates extension.
1.6.5 (February 2020)
New features
- Adds new features to In-App Updates API:
- Check staleness of the installed version of your app.
- Monitor download progress.
- Retrieve in-app update priority, as as defined by you in the Google Play Developer API.
- Better local testing of the module install flow using the FakeSplitInstallManager:
- Automatically instantiate the fake implementation of SplitInstallManager from SplitInstallManagerFactory if the App Bundle was built in local testing mode.
- Improvements to more realistically match the actual implementation.
- You can now initiate SplitInstallManager confirmation flows from fragments (in addition to activities).
Behavior changes
- Improved on-demand feature module installation performance, especially for Android L.
- Kotlin extensions: The Flow returned by SplitInstallManager.requestProgressFlow now uses Channel.UNLIMITED instead of Channel.BUFFERED.
1.6.4 (October 2019)
New features
- Adds FakeSplitInstallManager, which you can use for testing dynamic feature module install in integration tests, without connectivity.
- Javadoc and IntDef annotations are now exported in the maven repository, providing Android Studio completion, etc.
- Kotlin extensions now available in alpha. Add com.google.android.play:core-ktx:1.6.4 as a module dependency and include import com.google.android.play.core.ktx.* in your code.
- You can now initiate in-app update flows from fragments (in addition to activities).
1.6.3 (September 2019)
This release includes general bugfixes.
1.6.2 (September 2019)
New features
- Adds a new API SplitCompat.installActivity for installing SplitCompat on activities. This has better performance than calling full SplitCompat.install on the activity.
Behavior changes
- Native code fix for loading certain libraries on certain devices
- More robust recovery from interrupted SplitCompat
- More useful information in the string representation of exceptions
- Other general bugfixes and updated JavaDocs
1.6.1 (July 2019)
This release includes general bugfixes.
1.6.0 (May 2019)
New features
- New Sideloading crash prevention API, which allows you to detect incomplete installation of apps that are built using an Android App Bundle. To learn more, read Verify non-Google Play app installs.
1.5.0 (April 2019)
New features
- New In-App Update API, which allows you to request users to trigger an update directly from the app. To learn more, read Support in-app updates.
1.4.1 (April 2019)
Behavior changes
- Fixes multi-process race condition in SplitCompat
- Better background thread management
1.4.0 (February 2019)
New features
- New API that allows you to download additional languages on demand
- SplitCompat now supported on devices running Android Q
1.3.7 (February 2019)
New features
- Adds explicit error codes for SplitCompat failure scenarios
- Adds the startIntentSenderForResult() method to start the confirmation dialog. Using the PendingIntent directly has been deprecated. To learn more, read Obtain user confirmation
Behavior changes
- Fixes race conditions in SplitCompat that, in rare occasions, lead to errors
- Fixes bug in SplitCompat where, in the rare case that the app had no configuration splits, modules were not reported as installed
1.3.6 (November 2018)
New features
- New INSUFFICIENT_STORAGE error when installs cannot complete due to lack of disk space
Behavior changes
- A module is now reported as installed only if its master split is installed (previously any split would suffice)
- Mixed case class names are no longer used, which sometimes caused issues when building on Windows
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2022-10-05 UTC.