We wanted to make you aware of an important security update for Android Studio.

Today we released the Android Studio 2.1.1 update. The incremental update addresses two security vulnerabilities in the underlying IntelliJ platform that affects all previous versions of Android Studio:

Built-in WebServer Vulnerabilities: A Cross-Site Request Forgery (CSRF) flaw in the IDE’s built-in WebServer could allow an attacker to access the local file system from a malicious web page without user consent.

Internal RPC Vulnerabilities: Over-permissive Cross-Origin Resource Sharing (CORS) settings could allow an attacker to access various internal API endpoints; gain access to data saved by the IDE; gather various meta-information, like IDE version; or open a project without permission.

We have had no reports of active customer exploitation or abuse of these newly reported issues, but it’s important that you update to this new version now.

JetBrains notified Google of two security issues that affect all versions of Android Studio and we worked together to develop a solution. These issues not only affect the Android Studio development environment but all JetBrains products built on IntelliJ Platform including IntelliJ IDEA. See JetBrains security posting here:http://blog.jetbrains.com/blog/2016/05/security-update-for-intellij-based-ides

We are offering security patches for versions 1.5.1, 2.0, and 2.1 of Android Studio to upgrade to v2.1.1. Simply go into Android Studio and check updates (Help → Check for Update [Windows/Linux] , Android Studio → Check for Updates [OS X]).

If you need to stay on Android Studio 1.5.x, we are also offering a zip file of v1.5.2, which includes the patch for the security vulnerabilities. Download the zip from Android Studio tools website (http://tools.android.com/download/studio/builds/1-5-2/) and manually install the zip package over your existing Android Studio installation.