NBANDROID: Potential Security Breach in the SDK

Sorry for this catchy title, but I wanted to bring attention to you.
Until v3.2.3-stable-sdk2, the SDK uses nbandroid(dot)org as repository for NBAndroid.
Unfortunately, this site has gone offline. Problems would arise, when someone else is registering nbandroid(dot)org and starts hosting malware “nbandroid updates”.

Thus it is recommended that you remove/disable (removing will only work after said release) the NbAndroid 8.1 Update Center under Options → Plugins → Settings.

Note that this action is necessary for every instance you have which is not a clean install. Even the new version would only add the up to date NBAndroidV2 Repo (which btw you are encouraged to try out, it would be cool if Android Dev would be more SDK Native again), but not delete the old one.

If you don’t do that, I think you are also secure for the moment, because at least our jme update center had it’s own certificates in place to ensure that the modules can’t be tampered with, but I don’t know if such mechanisms are in place for nbandroid.


v3.2.3-stable-sdk2 is now available to address this issue. Download from Release v3.2.3-stable-sdk2: Fixes #194 - Upgrade NBAndroid to NBAndroidV2. Always add the latest … · jMonkeyEngine/sdk · GitHub

I’ve successfully installed v3.2.3-stable-sdk2 on both Windows and Linux.


in 3.2.3-stable-sdk2/3.2.4-stable-sdk1(same commit as i know) its impossible to disable NBAndroid option in settings.

I mean can disable, but each IDE restart this setting is “on” again.

What URL does it tell you it is? It should be the “new” one already, which is why it is turned on.
Maybe I can think about a fix which checks for the “on”/“off” state to deal with that, otherwise you are fine, only urls shall not be used anymore.

yes, its different link there, so no serious issue, but anyway its just not possible to turn it off or modify, because it return to default state after IDE restart.

just letting you know as reported to me.