Skip to main content
MJD1981
MJD1981
Inspiring
June 13, 2014
Question

Google Play: "vulnerable version of OpenSSL"

  • June 13, 2014
  • 5 replies
  • 3321 views

Hi, Google Play just sent me a warning that my Android apps compiled in AIR 4.0 are "running an outdated version of OpenSSL, which has multiple security vulnerabilities."

I don't recall using OpenSSL for anything other than my Apple certificates. Is this something AIR itself would be responsible for, or possibly a native extension? I'm using several ad-based ones such as AdMob and Vungle, as well as in-app purchases.

Doesn't make any sense to me, so I don't know how to react to it. But apparently my apps "may be considered dangerous products and subject to removal from Google Play."

This topic has been closed for replies.

5 replies

PedroDiegoF
PedroDiegoF
Participant
June 13, 2014

I have several apps in the Play Store, with several AIR versions, no ANE or plugins whatsoever, just plain AIR, and got that e-mail yesterday, so it must be something about AIR itself, don't know wich version could be responsible. Aparently everyone got the same mail yesterday, so far there's no answer from anyone in the web. I guess we should wait for Adobe to say something

MJD1981
MJD1981Author
Inspiring
June 13, 2014

Thanks for the clarification, pedrodiegof - saves me having to chase up my various ANE providers.

Sounds like we have to upgrade to AIR 14.0 ASAP.

C
ChivertonT
Inspiring
June 13, 2014

Please see the main thread. It's likely that AIR 14 will not be sufficient.

C
ChivertonT
Inspiring
June 13, 2014

Please see the main thread : Re: Google play and Adobe air: Security Alert: You are using a highly vulnerable version of OpenSSL

N
Adobe Employee
nimitja
Adobe Employee
June 13, 2014

Hello,

Could you please update AIR SDK to our latest version 14.0.0.110 available at Download Adobe AIR SDK , please let us know if you will see any problem.

Regards,

Nimit

4
4morrone
Inspiring
June 13, 2014

Its  not really an error being thrown. It's Google reaching out to devs. I got an email to from Google

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,

Google Play Team

All I can do is just update to Air 14 and wait and see if they tell me the issue still exist. My app has 3 ane from milkmangames. I know they just updated there ANEs too,so I got to update the ANEs in my app first then with 14, hopefully that will do it. 

Mark.fromOP
Mark.fromOP
Inspiring
June 13, 2014

Got the same email today from Google, no clue what it means.

8
89324
Participant
June 13, 2014

I got the same message today.

Colin Holgate
Colin Holgate
Inspiring
June 13, 2014

I have done several AIR 4 Android apps, without seeing that error. We’re on AIR 14 now, you may as well try that, in case something got fixed along the way.

MJD1981
MJD1981Author
Inspiring
June 13, 2014

Maybe it's an older app that has an older version of AIR. Google (as ever) were not specific: "one or more of your apps..."

I'd appreciate it if Adobe could speculate on which versions would be affected by this:
http://www.openssl.org/news/secadv_20140605.txt

Colin Holgate
Colin Holgate
Inspiring
June 13, 2014

I have done several Google Play apps now, and never seen those errors. Is there any special feature, or ANE, that you’re using which could explain why you see that?

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices