App Updates Blocked Due to Security Threat

Rick 4 months ago

I tried to release an update to my app today but was ultimately unsuccessful.

Garmin have sent me the following email:

An automated scan identified a security threat in the wristMT PRO app.
To access your app submission, make any necessary changes, and re-submit your app for approval, go to: XXXXXXXXXXX

My last successful update was only a few days ago. Todays update essentially extends 1 or 2 dictionary variables with some additional data but makes no changes to code structure or features beyond that.

I've tried three times now including on my Beta instance with the same result.

I can't fathom what "security threat" the tools have found and the email message is not exactly helpful with that regard.

Is anyone else seeing similar messages ?

Rick

Top Replies

All Replies

Kyle.ConnectIQ 4 months ago

If you have been running into this problem and use the Prettier Monkey C extension in VS Code, please update to the latest version and try again. If you don't use this extension or you're still having problems after updating, let us know.

flocsy 4 months ago in reply to Kyle.ConnectIQ

Can we get meaningful error messages?

Rick 4 months ago in reply to Kyle.ConnectIQ

Kyle.ConnectIQ - I've just recompiled (my Beta instance) using v2.0.90 of Prettier Monkey C and things are slightly different now. The banner on the website is showing that the app is pending however I still get the email telling me that the app is a security threat.

I'll try again without Prettier Monkey C which I'm sure I also did yesterday.

EDIT: Without Prettier Monkey C there are no errors and no emails any more.

EDIT: I've uploaded a Prettier Monkey C version again and attempted to download. The version that is being downloaded is the non-Prettier Monkey C version I uploaded immediately before the current version. Seems like the email message may be correct in that the current version is still blocked, although it's possible I didn't wait long enough as things take a lot longer these days. That said, its 3:20am - I'm going to bed and will pick this up again during the daylight hours :-)

Thanks Kyle.ConnectIQ

xuxumatu 4 months ago in reply to Rick

I THINK I GOT THE BUG!!!! I I changed minimum api level form 1.2.0 to 1.3.0 and it works!!!

Rick 4 months ago in reply to Rick

Kyle.ConnectIQ - I saw the update from @markw65 regarding disabling of argc optimisation. That didn't fix my problem. But disabling the Post Build PRE optimiser in v2.0.90 seems to have done the trick with regards to getting the app to upload. It's doesn't help me with the out of memory error I now get on Fenix 6 and similar devices due to the additional optimisation also being disabled but I suppose it's one step forward.

I'll try again without Prettier Monkey C which I'm sure I also did yesterday.

EDIT: Without Prettier Monkey C there are no errors and no emails any more.

Thanks Kyle.ConnectIQ

markw65 4 months ago

Garmin informed me that the argc optimization from Prettier MonkeyC's post build optimizer was causing this, and asked me to remove that optimization.

I've done so, but it seems that there are other issues their verifier doesn't like. For now turning off the post build optimizer (which is the default) should fix these issues - but I'm working on figuring out exactly what it's objecting to, and will send out another release as soon as possible.

markw65 4 months ago in reply to Kyle.ConnectIQ

Kyle.ConnectIQ

I'm the Prettier Monkey C developer. Even after disabling the argc optimization (as Garmin asked me to), my app is still being rejected.

I started to debug exactly why, by turning off more and more of the post build optimizations, and the app kept getting rejected. So I turned off the post build optimizer altogether, and it still got rejected. At this point, I'm just building the project with garmin's tools. The project has been generated, but it's all written in normal monkeyc.

So then I tried just building the un-optimized source with garmin's tools directly, and it still got rejected.

Is it possible that after a few rejects the store just marks the app-id as bad (or maybe my developer id as bad), and no matter what I upload it's going to be rejected?

markw65 4 months ago in reply to markw65

As an update, I have another app I've been working on, but which I hadn't yet uploaded to the store. I tried uploading that (build with the regular "Monkey C: Export Project" command, and the store accepted it.

Then I tried building it with my optimizer, with the post build optimizer turned off, and the store accepted it.

Then I tried building it with my optimizer with the post build optimizer turned on, and the store accepted it. [Edit: The store has just rejected this version]

So either the store is rejecting the other app just because it's been rejected too many times, or there is something it doesn't like about the plain monkeyc build (without my optimizer involved) - which seems like a bug in the verifier to me.

[Edit: It looks like there is something the post build optimizer does that the store is not happy with. But there's also something with my original app that triggers issues even without my optimizer]

markw65 4 months ago in reply to markw65

markw65 said:
Is it possible that after a few rejects the store just marks the app-id as bad

I think this is what's happening.

I did several iterations on a different app, slowly homing in on what was causing the problem. For the first several tries, the store would initially appear to accept the app, and then sometimes reject, depending on which optimizations were enabled.

But then it just started rejecting it immediately after hitting the submit button, even when I upload the same, unoptimized build that worked initially..

[Edit: I guess this was just delays in the store. After leaving it for a while, it did sort itself out, and both apps, when built without the post build optimizer, stopped saying they were blocked]

xuxumatu 4 months ago in reply to markw65

What's the minimum api level that you ara using?