Google play and Adobe air: Security Alert: You are using a highly vulnerable version of OpenSSL

Report · Jun 12, 2014

Hello

I just got a message from google play and they said that tehre is a vulnerable version of openssl. Now since I use adobe air to do my apps I was wondering how adobe air can comunnicate with openssl?

I'm using different version of adobe air since 1 years.

Here was the complete message:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

Do you know how to fix that problem?

Bobby

Report · Jun 12, 2014

Are you sure this message comes from Google? Have you looked at the message headers? It should tell you the originating IP address.

Also, what is the actual address in the link in that message?

Report · Jun 12, 2014

I also get an email like that.

what to do, please help

Report · Jun 12, 2014

I received this email as well. Does anyone know what is causing this, or how to solve it?

Report · Jun 12, 2014

Me too, just received the message from google play just now, it seems like adobe air's problem..

Report · Jun 12, 2014

I got this message earlier today. I'm just wondering is the openssl invoked by my ANE or the adt packaging? I just upgraded my openssl which was ver 0.9.8 to the latest 1.0.1h on my mac, but I'm not sure if it helps. Now I'm digging into my ANE…..

Report · Jun 12, 2014

Hi All,

Please update AIR SDK to our latest version 14.0.0.110 available at Download Adobe AIR SDK , please let us know if you will face any problem.

Regards,

Nimit

Report · Jun 12, 2014

I got the same message and my app were produced with Flash Professional CC via Action Script (AS3).
Will in that case also help to update the SDK and after that to re-publish the code or do I have to wait for an Flash Prof CC - Update?

Report · Jun 13, 2014

We received this email as well. I didn't read anything about OpenSSL in the Release Notes | Flash Player® 14 AIR® 14.

nimitja can you confirm that this version realy fix this issue?

Report · Jun 13, 2014

Yes, the latest AIR SDK has updated openSSL (1.0.1g). We are also updating the Release Notes.

Regards,

Nimit

Report · Jun 13, 2014

Thanks for the fast response!

Report · Jun 13, 2014

As it said in the mail from Google(http://www.openssl.org/news/secadv_20140605.txt), we should upgrade the openssl to version 1.0.1h. Wondering if the bug already fixed in version 1.0.1g coming with the latest version 14.0.0.110 AIR SDK?

Report · Jun 13, 2014

We are aware of openSSL 1.0.1h version and the updated AIR SDK will be available soon.

Regards,

Nimit

Report · Jun 13, 2014

nimitja wrote:

We are aware of openSSL 1.0.1h version and the updated AIR SDK will be available soon.

Regards,

Nimit

So do we have to wait for the new AIR release or the current (14.0) is enough to fix this issue?

(For Android mobile application on Google Play)

Report · Jun 13, 2014

Yes, you can ahead with latest AIR SDK.

Regards,

Nimit

Report · Jun 13, 2014

Dear Nimit,

what means "available soon"?
All the best, Frank

Report · Jun 13, 2014

adb.exe in AIR 14.0.0.110 seems to use OpenSSL 1.0.1c

$ strings lib/android/bin/adb.exe | grep OpenSSL

Big Number part of OpenSSL 1.0.1c 10 May 2012

RSA part of OpenSSL 1.0.1c 10 May 2012

[...]

Report · Jun 13, 2014

Thanks for reporting this. We will update this soon but it does not impact your application. The openSSL updates are in the Runtime.

Regards,

Nimit

Report · Jun 13, 2014

So if we update the SDK to 14.0 then we are all done?

It does not have anything to do with Milkman's extensions? (I am using Google Play Games and AdMob)

Report · Jun 13, 2014

Is it possible that the problem exists only for older AIR-apps which are still in the store?
I have multiple apps in the store. One was produced with Flash CC over 1,5 years ago

I also have absolutely fresh AIR-Apps in store.

The problem is that googles-Email don't say which app was exactly affected?

Maybe it is enough to rebublish the code with the actual version of Flash Prof CC?

Nimit, please give us some more information - thanks a lot!

Report · Jun 13, 2014

Nimit, thanks for fast response with solution.

Going to be busy today to re-compile all my apps.

Report · Jun 13, 2014

Maybe you need to read tha last post from Chris Campbell.

Report · Jun 13, 2014

I am a bit confused... The last AIR SDK I was using was 4.0.

This is 14.0? I don't get it 🙂

Should I just put it into my Flash folder and use "Manage AIR SDK" as I did before?

Report · Jun 13, 2014

Yes, please use "Manage AIR SDK" and update with the latest AIR SDK.

Regards,

Nimit

Report · Jun 13, 2014

Hello Everybody

Thank you for your answers.

Nimitja I have more than 100 apps to update. I want to know 2 important things before I start to update all my apps. Because I want tobe 100% sure it is the problem.

Question 1: If I recompile my apps with the version 14.0.0.110 the bug will be fixed? Because I don't see any notes in that version about that.

Question 2: Do the bug come from the self signed certificate that we create with adobe air to publish our Android apps?

Question 3: Do we need to update the version of open SSL for our pc?

Thanks a lot for your help.

Robert