SecurityException - GoogleCertificatesRslt: not allowed
AndroidGoogle ApiAndroid Problem Overview
We have an app with some million users. Over the past week we have gotten around 30 "velocity alerts" from Firebase Crashlytics from older versions of the app with error messages like this:
Fatal Exception: java.lang.SecurityException
GoogleCertificatesRslt: not allowed: pkg=com.example.app, sha1=<sha1 redacted>, atk=false, ver=203914019.true (go/gsrlt)
android.os.Parcel.readException (Parcel.java:1959)
android.os.Parcel.readException (Parcel.java:1905)
com.google.android.gms.common.internal.s.r (s.java:37)
com.google.android.gms.common.internal.W.u (W.java:90)
com.google.android.gms.common.api.internal.At.q (At.java:17)
com.google.android.gms.common.api.internal.rt.run (rt.java:5)
java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:457)
java.util.concurrent.FutureTask.run (FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1162)
java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:636)
com.google.android.gms.internal.ef.run (ef.java:6)
java.lang.Thread.run (Thread.java:764)
It isn't impacting that many users, maybe a few hundreds to a thousand. Normally we wouldn't really notice that small a problem, but because it seems to happen over and over again for those users we have gotten all those velocity alerts - making it more apparent.
Why is this happening? The stacktraces varies a bit, but it does look like it's related to Google's GMS.
Is there anything we or our users can do to avoid it?
The issue seem to be spread out among Android versions and device vendors.
Android Solutions
Solution 1 - Android
This was an issue in Google Play services as confirmed from someone in dev relations. A fix was rolled out for this on 2nd Oct and we should see a decreasing trend for this as more devices auto update to the latest version(20.39.15).
Solution 2 - Android
I found in com.google.android.gms:[email protected] someting like this:
package com.google.android.gms.common;
import javax.annotation.Nullable;
@javax.annotation.CheckReturnValue
class zzl { zzl(boolean paramBoolean, @Nullable String paramString, @Nullable Throwable paramThrowable) { this.zzap = paramBoolean;
this.zzaq = paramString;
this.cause = paramThrowable; }
static zzl zze() { return zzao; }
static zzl zza(java.util.concurrent.Callable<String> paramCallable) { return new zzn(paramCallable, null); }
static zzl zzb(@androidx.annotation.NonNull String paramString) { return new zzl(false, paramString, null); }
static zzl zza(@androidx.annotation.NonNull String paramString, @androidx.annotation.NonNull Throwable paramThrowable) { return new zzl(false, paramString, paramThrowable); } @Nullable
String getErrorMessage() { return this.zzaq; }
final void zzf() { if ((!this.zzap) && (android.util.Log.isLoggable("GoogleCertificatesRslt", 3))) {
if (this.cause != null) {
android.util.Log.d("GoogleCertificatesRslt", getErrorMessage(), this.cause);return; }
android.util.Log.d("GoogleCertificatesRslt", getErrorMessage()); } }
static String zzc(String paramString, zzd paramzzd, boolean paramBoolean1, boolean paramBoolean2) { String str = paramBoolean2 ? "debug cert rejected" : "not whitelisted";
zzd localzzd = paramzzd;{ str, paramString }[2] =
com.google.android.gms.common.util.Hex.bytesToStringLowercase(com.google.android.gms.common.util.AndroidUtilsLight.zzj("SHA-1").digest(localzzd.getBytes())); Object[]
tmp50_28 = tmp28_24;tmp50_28[3] =
Boolean.valueOf(paramBoolean1); Object[] tmp57_50 = tmp50_28;tmp57_50[4] = "12451009.false";
return String.format("%s: pkg=%s, sha1=%s, atk=%s, ver=%s", tmp57_50); }
private static final zzl zzao = new zzl(true, null, null);
final boolean zzap;
private final String zzaq;
private final Throwable cause;
}
Similar error message.