ArcGIS Runtime SDK for Android – August 2015 Security Update
Esri has updated the ArcGIS Runtime SDK for Android to address a vulnerability (identified by CVE-2015-2002) that could allow malware to cause memory corruption of an app that uses the SDK, and possibly gain code execution in the context of such app.
For users to be affected by this vulnerability:
• Users would have installed an app built with the vulnerable ArcGIS Runtime SDK for Android on their Android device.
• The user would have a malicious app installed on their Android device that exploits the vulnerability.
There have been no reports or evidence to indicate the vulnerability was ever used to access user data. However we strongly recommend updating your apps with this latest SDK, and in general, regularly updating your apps with the latest SDK available.
See the Description section above.
Esri strongly recommends that developers download the latest version of the ArcGIS Runtime SDK for Android – version 10.2.6-2 or later - and update their apps.
Collector for ArcGIS was updated on July 14, 2015 in the Google Play Store. The July 14 update (version 10.3.2), among other things, incorporates the ArcGIS Runtime SDK for Android 10.2.6-2 that resolves the security vulnerability described above.
Explorer for ArcGIS was updated on July 29 in the Google Play store. The July 29 update (version 10.2.8), among other things, incorporates the ArcGIS Runtime SDK for Android 10.2.6-2 that resolves the security vulnerability described above.
Esri strongly recommends that any customer using Collector for ArcGIS or Explorer for ArcGIS with Android download these updated versions.
Use the following links to the ArcGIS for Developers site where the latest version of the ArcGIS Runtime SDK for Android can be downloaded, and also to the to the Google Play Store where the latest version of Collector for ArcGIS and Explorer for ArcGIS can be downloaded:
ArcGIS for Developers
Collector for ArcGIS
Explorer for ArcGIS
The use of anti-virus software on the Android platform can reduce the likelihood of getting a malicious app installed on to the device, which is a prerequisite for this vulnerability to be exploited.