Face Recognition


Update libpng in OpenCV 2.4.11 for Android

On the 16th of June 2016 we got the email this is in the quote block below from The Google Play Team.

The email said that our application Face Detection and Recognition, which uses OpenCV for Android is affected by a security bug of libpng that is bundled in version 2.4.11. At the time that this post was written, version 2.4.11 was the latest one and the last update time to it was 2015-03-05.

Since there was no bug fix at the time, we had to take action into patching our application. Below are the steps you need to follow to replicate the bug fix:

  1. Download Android NDK if you did not already, you will need it in the following steps. The Android NDK project page is https://developer.android.com/ndk/.
    We used version android-ndk-r12b-linux-x86_64.zip for Linux 64-bit (x86) from https://developer.android.com/ndk/downloads/. After you download it, unzip it and copy the path of the folder.
  2. Download a copy of the libpng for Android repository in zip format from here https://github.com/julienr/libpng-android/archive/master.zip. Please note that this repository is not an official OpenCV repository.
  3. Unzip the libpng for Android downloaded file. Go to [LIBPNG_FOR_ANDROID_FOLDER]/jni/ and using a text editor open file config.h. Find the values for the following 3 variables PACKAGE_STRING PACKAGE_VERSION VERSION and make sure that they have the correct version number. At the time this post was written, the author of the repository omitted to update those values from 1.4.1 to 1.6.23. ( config.h (compressed) (169 downloads) )
  4. Using a terminal go into the folder that was created and execute: ./build.sh
  5. In case you get the error ./build.sh: line 2: ndk-build: command not found then edit build.sh using a text editor and on line 2 add the full path to the file ndk-build that is in the folder of the Android NDK you unzipped before. After you do this change execute ./build.sh again.
  6. Inside each of the folders in [LIBPNG_FOR_ANDROID_FOLDER]/obj/local/ you will find a file called libpng.a.
    Copy those files while renaming them to liblibpng.a into the respective folders of the OpenCV library you are using in you project that are found here [OPENCV_FOLDER]/sdk/native/3rdparty/libs/.
    Inside [LIBPNG_FOR_ANDROID_FOLDER]/obj/local/ we found the following folders: arm64-v8a, armeabi, armeabi-v7a, mipsmips64, x86x86_64.
    We did not use all of them as in [OPENCV_FOLDER]/sdk/native/3rdparty/libs/ we only had armeabi, armeabi-v7a, mips, x86.
  7. Rebuild your applications, test them and if they are OK upload the new versions online.

Hello Google Play Developer,

We detected that your app(s) listed at the end of this email are using an unsafe version of the libpng library. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.

What’s happening

Beginning September 17, 2016, Google Play will block publishing of any new apps or updates that use vulnerable versions of libpng. Your published APK version will not be affected, however any updates to the app will be blocked unless you address this vulnerability.

Action required: Migrate your app(s) to use libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher as soon as possible and increment the version number of the upgraded APK.

Next steps

  1. Download the latest version of libpng from the libpng website.
  2. Sign in to your Developer Console and submit the updated version of your app.
  3. Check back after five hours – we’ll show a warning message if the app hasn’t been updated correctly.

The vulnerability stems from an out of bounds memory access that could potentially lead to code execution. Versions 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 are affected.

You can read more about the vulnerability in CVE-2015-8540. For other technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”

While these specific issues may not affect every app that uses libpng, it’s best to stay up to date on all security patches.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8540

We’re here to help

If you feel we have sent this warning in error, you can contact our developer support team.

Regards,

The Google Play Team

 

Affected app(s) and version(s) are listed below. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

net.bytefreaks.opencvfacerecognition   1

Related post by Google Play Team:

How to fix apps containing Libpng Vulnerability

This information is intended for developers of apps that utilize any version of libpng library, that contains a security vulnerability disclosed in CVE-2015-8540. Apps with vulnerabilities like this can expose users to risk of compromise and may be considered in violation of our Malicious Behavior policy.

Please migrate your app(s) to libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher as soon as possible and increment the version number of the upgraded APK. Beginning Sep 17, 2016, Google Play will block publishing of any new apps or updates that use vulnerable versions of libpng. Your published app version will remain unaffected, however any updates to the app will be blocked unless they address this vulnerability.

Next steps

  1. Download the latest version of libpng from the libpng website.
  2. Sign in to your Developer Console and submit the updated version of your app.
  3. Check back after five hours – we’ll show a warning message if the app hasn’t been updated correctly. Note that some processing delays are common even if your app has fixed the vulnerability.

The vulnerability stems from an out of bounds memory access that could potentially lead to code execution. Versions 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 are affected.
You can read more about the vulnerability in CVE-2015-8540.

For other technical questions, you can post to Stack Overflow and use the tags “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.

While these specific issues may not affect every app that uses libpng, it’s best to stay up to date on all security patches. Apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.

–From https://support.google.com/faqs/answer/7011127


[Video] Android OpenCV – Face Detection and Recognition Demo

Android OpenCV – Face Detection and Recognition Demo using Android NDK/JNI to load OpenCV library.

Google Play: https://play.google.com/store/apps/details?id=net.bytefreaks.opencvfacerecognition

Get it on Google Play

Our application is based on the ‘Face Detection’ sample of OpenCV. The sample that is available for download from http://sourceforge.net/projects/opencvlibrary/files/opencv-android/, you will notice that there are many versions there, we used version 2.4.11. Refer to this (http://docs.opencv.org/2.4/doc/tutorials/introduction/android_binary_package/O4A_SDK.html) introduction for more information.