Android app security popup 11.07.2023

ivdimitro · July 12, 2023, 9:30am

Hello, last night 11.07.2023 I got a popup in my app that I am running “insecure version of the SW” or something similar. As I was falling asleep I didn’t clearly understood if the popup was for the android app or the server software. I dismissed the notification assuming the auto update will fix the issue till the morning.
So far I don’t see updates neither on the server side (I am already running 2023.7.1), nor on my phone. I can’t find any mention of new vulnerability on the web as well.

Was I dreaming or is there a new security issue? Nabu cassa have been really responsive with such disclosures so I am not very worried but it will be good to know if something needs to be done.

dshokouhi · July 12, 2023, 3:20pm

without seeing what the pop-up is its tough to say what you got. The last security warning the app had was back in 2021 to inform the user.

ivdimitro · July 12, 2023, 5:32pm

I know the description is not good but if I wasn’t so asleep I would have read it more carefully at first place

ivdimitro · July 16, 2023, 6:48pm

I managed to catch the message the third time it popped up. It warns about recent vulnerability in custom components. I have a few HACS components but all of them are up to date and the link in the “view bulletin” is 404.

dshokouhi · July 16, 2023, 7:31pm

Weird for some reason the API didn’t respond with the correct core version then. That pop-up is only for a particular version back in 2021.