Google Play warning: Zip path traversal

My Keyboard App generates the following warning on Google Play:

Your app contains an unsafe unzipping pattern that may lead to a path traversal vulnerability. Please see this Google Help Centre article to learn how to fix the issue.

  • com.tavultesoft.kmea.util.ZipUtils.unzip

It doesn’t block anything but may be worth someone looking into.

What version of Keyman Engine for Android are you using?

We fixed that issue during 14.0 beta in pull request #4300

Keyboard App Builder 2.6.5 seems to bundle 13.x. I don’t know whether I can just replace the embedded .aar file inside KAB but when I tried hacking that in the app didn’t work somewhat unsurprisingly.
This page says the fix is in 15.0.9 alpha.
Not a bit deal; happy a fix is in the works. It’s probably mainly a KAB issue then, to migrate to the fixed kmea version.

Yeah, there’s substantial changes going from Engine 13.0 to 14.0 so it’ll take a KAB update.