A

Anonymous

Question

Google play and Adobe air: Security Alert: You are using a highly vulnerable version of OpenSSL

Forum|Forum|11 years ago
June 13, 2014
33 replies
43348 views

Hello

I just got a message from google play and they said that tehre is a vulnerable version of openssl. Now since I use adobe air to do my apps I was wondering how adobe air can comunnicate with openssl?

I'm using different version of adobe air since 1 years.

Here was the complete message:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

Do you know how to fix that problem?

Bobby

Performance issues

This topic has been closed for replies.

Show previous replies

appbeginer

Participating Frequently

Hi,

Is anyone using the Admob ANE from Code-Alchemy/AdMobAne · GitHub?

I am curious whether this Admob ANE is bundled with openssl or not. I have posted inthe issue column but seems the author is away for a while.

Generally, is Adobe ANE using openssl when bundling/packaging? Is it alright if i am just waiting for the Adobe AIR update?

Thanks in advance.

dappledore

Participating Frequently

I think the admob ANEs are OK since i have other apps that use the admob SDK that is part of Google GPS and these were not flagged by Google just Air apps. I got a list from Google which apps have the security flaw , they also said they will wait for me to apply the new AIR Runtime to my apps since i explained im waiting on Adobe to update it.

P

Paul Darky

Inspiring

Hi dappledore

That´s quite interesting. Can you let us know how you got the "list from Google which apps have the security flaw"??? That would be very useful to all of us.

Best,

AdrianPirvulescu

Participant

Dear Chris,

thank you for your support so far. Could you please post a link in this forum thread as soon the beta version is available?

Regards,

Adrian

A

Anonymous

Hello Chris

Thank you very much for your answer. We have 3 others questions for you.

1- For the futur as we may have another problem like that, do shared runtime would fix that problem in the futur? So we will not be forced to update our apps with a new version of air everytime we have an Open SSL problem?

2- If we use shared runtime, do the mobile users will have different notifications in their mobile if the apps is with shared runtime instead of captive runtime?

3- Last one: How could we do this with Flash CS6 or Flash CC?

Thanks a lot Chris

Bobby

dappledore

Participating Frequently

1.Shared runtime solves the problem but forces users to download AIR from Google play if they dont have it on their device.

2.Same as 1

3.There is a tick box when publishing for android that allows setting to shared or captive runtime in CS6 dont know about CC never used it.

A

Anonymous

Helo Chris

Do you have any date for us for the release of the beta with Open SSL 1.0.1h so we can tell google about it? Because right now they don't know that we can't do anything to solve that problem.

Thanks to let us know.

Bobby

chris.campbell

Community Manager

premiums77 - We're hoping for Wednesday afternoon (GMT-7). I'll let you know if this changes.

hferreira.80@gmail.com - I'll try and get a full change list, but my hope is that there are minimal changes between 14.0.0.110 and the beta this week. Our next official release, on July 8th, will be a minor update to AIR 14. AIR 15 won't be available till September.

P

Paul Darky

Inspiring

Hi Chris,

In a post above from keyeskeyamada, it says that:

""""Hey Just received a response from Eric Davis from the Android Security Team from the Android Development Community Page on Google Plus on this issue:

Anyone else receive this e-mail from "Google Play Team"?Security Alert: You…

He writes

"Hi all,

I’m on the Android Security Team. In response to your questions:

(1) You can determine which apps are using OpenSSL via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL"")

(2) Please update the all statically linked versions of OpenSSL to 1.0.1h, 1.0.0m, or 0.9.8za.

(3) If you are using a 3rd party library that bundles OpenSSL, please notify the 3rd party and work with them to address this."

edit: a few other devs also discovered that it is the apks that are bundled with captive runtime instead of the ones using shared runtime which is anything potentially Air 3.6 and up.""""

Could you let us know if that really solves the issue? I have edited several of my apps using Air 3.6 with shared runtime, so knowing that´s true I wouldn´t have to worry about those apps.

Best,

S

Sairope

Inspiring

So what would be the best course of action? Should we update our apps with the Air 14.0.0 or should we wait for the new sdk with the OpenSSL 1.0.1h? Also is there any way I can check the OpenSSL of my android apps. I hope that we won't have to update our ANE's as well. The problem is that we as developers are kept in the dark and nobody would want to get an account termination email from google play .

H

hferreira.80@gmail.com

Inspiring

If you carefully read every post you will understand ...

The last final AIR version 14 uses OpenSSL 1.0.1g that is not enough to satisfy the new Google Play requirements.

Chris, said that they will release a new beta (new build after the last final 14) with this issue fixed and should be good enough despite the beta stamp. You can use this beta release (personally I always use final releases except mandatory cases like this one) or you can wait for the next final release (I suppose that should be version 15) at your own risk since we don't know the Google dead line.

About the ANEs they don't have AIR embed so I don't see any problem unless they use OpenSSL at their own.

B

bwmed

Participant

I'm sure we can count on Adobe help! We are looking forward to receive the notification for the comin up days. This is a crucial fix for all of us !!!!!!

dappledore

Participating Frequently

Just want to be clear , ANEs don't need to be recompiled with the new version do they? since its the runtime only? Im using FreshPlanet and StickMan ANEs .

Regards,

David

W

Wingnow

Known Participant

Good question. If ANE is also need to recompiled. Then, it would be a huge mass, since many ANEs may not notice an update is needed, or not even care to update...

And Adobe Gaming SDK need to be updated too!

A

Anonymous

Thank you so much Chris. Waiting for the new beta.

A

Anonymous

Chris are you serious july 8th? Google play will remove all the apps using adobe air from day one if we wait another 3-4 weeks. I really hope that your beta version will be available in the begining of next week if not every apps using adobe air will face big problem with their apps in google play.

Please again try to release the new beta ASAP.

Bobby

chris.campbell

Community Manager

keyeskeyamada - Those are good questions and if you find out from Google, it would be great if you could post back with the answers. From browsing this morning, it's clear that this email went out to more than just developers using the AIR SDK.

premiums77- July 8th is our normally scheduled release, however we're confident that next week's beta will be good to publish against. We'll do our best to get this out asap.

keyeskeyamada

Participating Frequently

I just got off the chat with Google Play Developer Live Chat

I found out a few things from a very dry conversation.

1. Google is aware their execution of this e-mail has worried developers (a summary from the tsr). We need to contact them a lot more! So, in the upper right hand corner of the Developer Console, there is a question mark. CLICK it. Click on Live Chat, but make sure its between 11am to 5pm PST and please tell them your issue. Please copy and paste the e-mail you were sent that created this all in the first place. Socially blog and share this issue so that others are aware!

2. If you demand a list of apps affected, they will tell you how many and what apps via e-mail. You have to be persistent. Mine was 95. I know it was more but that leads me to #3

3. Not all Air SDK versions were affected. My older apps that were created/published against Air 3.2, 3.3, 3.4 and 3.5 were not on the list. However 3.8 and up were which included the latest game I added that was using 13. Probably because those were the ones that included captive runtime and the others did not. The older games I updated a few months ago showed up, but the paid ones, since they were not updated did not show up unless they were newer apps.

4. This can get very ugly if Google just issues the notices and carries out removing apps without full explanation. We are not the only ones with this issue, yet they (the google reps) are telling us to search the internet to find a solution to correct the apps.

keyeskeyamada

Participating Frequently

Hello,

Just want to say that we also have received this message. We have over 200+ apps on Google Play. Some of them native and some using Adobe Air. This is a really hard job to do with two people if this is truly the case of updating our apps to the latest air sdk version. However, I have asked other developers and some of them received the same e-mail yet they were not using Adobe Air for their apps, they were using Native Java. Why did Google leave such a vague message on something very detrimental to us all if we do not get to the bottom of the issue?????

We have used so many different versions of Air SDK (since 2011) that its not funny. Starting from CS5 to CC. Some apps have captive runtime and some do not....

Also why did Google e-mail us developers for a issue like this when they should have contacted Adobe in the first place if it is truly the runtime issue??????

chris.campbell

Community Manager

Hello everyone,

Unfortunately, with renewed focus on OpenSSL , these types of updates might be with us for some time to come. However, as noted above, the current and proper version of OpenSSL is currently 1.0.1h. AIR currently ships with 1.0.1g so we do not recommend updating with this version when complying with Google's notification email. We plan on releasing a new beta SDK next week that will contain the 1.0.1h library. You can use this beta or wait till the next official release scheduled for July 8th when submitting updated apps to the Play store.

Thanks,

Chris

P

Paul Darky

Inspiring

So, all that nimitja said is worthless? The final answer is WAIT?

Show more replies

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded