We got rejected by Google Play for updating a game. The reason was that somwhere in the code, something is allowing untrusted certificates. This opens up for man-in-the-middle attacks in all apps using SSL networking.
After a day with research we finally got the game approved by Google. To get it approved, we had to remove the UDP and UnityChannel folders from Plugins/Android. We did this after decompiling the apk. We found that UDP was referencing X509TrustManager in two places.
After going through the latest release notes, I discovered that Unity recently “fixed” a handshake issue in UnityWebRequest. Putting two and two together, I think this change has introduced the very serious vulnerability issue. Link to case: Unity Issue Tracker - REST request to SSL server: Failed to receive data
The vulnerability is then either only in the UDP/UnityChannel files, or - much worse - applied to the complete UnityWebRequest api. If the latter is the case, and since Unity has backported the fix to all versions of 2019 and 2018.4, we’re effectively shut out from updating our other game that uses UnityWebRequest for multiplayer networking.