Skip to main content
P
Paul Darky
Inspiring
May 7, 2015
Answered

Google Play 60-day deadline for resolving OpenSSL vulnerabilities

  • May 7, 2015
  • 4 replies
  • 2196 views

I just got an email from Google Play saying:

"""We wanted to let you know that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users. Please migrate your app(s) to an updated version of OpenSSL within 60 days of this notification. Beginning 7/7/15, Google Play will block publishing of any new apps and updates that use older, unsupported versions of OpenSSL (see below for details)."""

The apps list were built on Flash 2014 with different AIR SDKs: 16, 17, 18

I thought this issue was solved months ago.

Has anyone else received the same mail?

Best Regards

This topic has been closed for replies.
Correct answer Paul Darky

I got this mail today from GOOGLE PLAY:

"""

Recently we sent you a notification that one or more of your apps should be upgraded to more recent version of OpenSSL, due to security vulnerabilities. The notification was sent in error, and we thank you for previously making the necessary changes to your app.

We apologize for any confusion this may have caused.

Regards,

Google Play Team"""

4 replies

appbeginer
appbeginer
Participating Frequently
May 10, 2015

Hi Paul Darky,

I received the same warning message. However, I don't receive the second 'apology email'.

I have checked all the apps, they are using at least 1.0.1h (some 1.0.1i).

Similarly, there is no 'Alert' telling which app is the problematic one....

Hope everything is going well with this....

Can anyone confirm this?

Thanks in advance.

P
Paul DarkyAuthor
Inspiring
May 11, 2015

Hi appbeginer:

I suppose that sooner or later you will get the “apology email”. If you don´t have any alert seems it was also an error sending the mail to you.

Best,

appbeginer
appbeginer
Participating Frequently
May 12, 2015

I really appreciate your response. I am still waiting for the email.

Hopefully it is just a mistake from Google (as the apps which i updated recently using adobe air 16 are blacklisted as well...).

P
Paul DarkyAuthorCorrect answer
Inspiring
May 8, 2015

I got this mail today from GOOGLE PLAY:

"""

Recently we sent you a notification that one or more of your apps should be upgraded to more recent version of OpenSSL, due to security vulnerabilities. The notification was sent in error, and we thank you for previously making the necessary changes to your app.

We apologize for any confusion this may have caused.

Regards,

Google Play Team"""

neliorc
neliorc
Participant
May 7, 2015

I got the warning too and my apps were updated months ago to OpenSSL 1.0.1h. I followed their instructions to check the OpenSSL version, and it's all good. Also no warnings in the Developer Console, so this was probably mass sent by mistake, without properly checking if the apps have been updated. Their wording is a bit harsh, so they should be careful when sending out these emails.

N
Neverbirth
Inspiring
May 7, 2015

I'd say the mail has been sent to all those developers with apps that have ever used some vulnerable OpenSSL version, even if the current version doesn't. If you go to the Developer Console and you have some vulnerable App, you'll see a warning icon at the right margin, which pops up a security alert telling the App uses a vulnerable OpenSSL version.

rzthrun
rzthrun
Participant
May 7, 2015

I received this email today, after having updated months ago also.
Where in the developer console would we the warning be visible ?

neliorc
neliorc
Participant
May 7, 2015

"Alerts", in the left-hand menu. When we had the old OpenSSL versions, the apps were (correctly) flagged there.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices