• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
4

Google play and Adobe air: Security Alert: You are using a highly vulnerable version of OpenSSL

Guest
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

Hello

I just got a message from google play and they said that tehre is a vulnerable version of openssl. Now since I use adobe air to do my apps I was wondering how adobe air can comunnicate with openssl?

I'm using different version of adobe air since 1 years.

Here was the complete message:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

Do you know how to fix that problem?

Bobby

TOPICS
Performance issues

Views

38.9K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 128 Replies 128
LEGEND ,
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

Are you sure this message comes from Google?  Have you looked at the message headers?  It should tell you the originating IP address.

Also, what is the actual address in the link in that message?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

I also get an email like that.

what to do, please help

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

I received this email as well.  Does anyone know what is causing this, or how to solve it?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

Me too, just received the message from google play just now, it seems like adobe air's problem..

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

I got this message earlier today. I'm just wondering is the openssl invoked by my ANE or the adt packaging? I just upgraded my openssl which was ver 0.9.8 to the latest 1.0.1h on my mac, but I'm not sure if it helps. Now I'm digging into my ANE…..

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

Hi All,

Please update AIR SDK to our latest version 14.0.0.110 available at Download Adobe AIR SDK , please let us know if you will face any problem.

Regards,

Nimit

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

I got the same message and my app were produced with Flash Professional CC via Action Script (AS3).
Will in that case also help to update the SDK and after that to re-publish the code or do I have to wait for an Flash Prof CC - Update?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

We received this email as well. I didn't read anything about OpenSSL in the Release Notes | Flash Player® 14 AIR® 14.

nimitja can you confirm that this version realy fix this issue?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Yes, the latest AIR SDK has updated openSSL (1.0.1g). We are also updating the Release Notes.

Regards,

Nimit

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Thanks for the fast response!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

As it said in the mail from Google(http://www.openssl.org/news/secadv_20140605.txt), we should upgrade the openssl to version 1.0.1h. Wondering if the bug already fixed in version 1.0.1g coming with the latest version 14.0.0.110 AIR SDK?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

We are aware of openSSL 1.0.1h version and the updated AIR SDK will be available soon.

Regards,

Nimit

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

nimitja wrote:

We are aware of openSSL 1.0.1h version and the updated AIR SDK will be available soon.

Regards,

Nimit

So do we have to wait for the new AIR release or the current (14.0) is enough to fix this issue?

(For Android mobile application on Google Play)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Yes, you can ahead with latest AIR SDK.

Regards,

Nimit

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Dear Nimit,

what means "available soon"?
All the best, Frank

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

adb.exe in AIR 14.0.0.110 seems to use OpenSSL 1.0.1c

$ strings lib/android/bin/adb.exe | grep OpenSSL

Big Number part of OpenSSL 1.0.1c 10 May 2012

RSA part of OpenSSL 1.0.1c 10 May 2012

[...]

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Thanks for reporting this. We will update this soon but it does not impact your application. The openSSL updates are in the Runtime.

Regards,

Nimit

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

So if we update the SDK to 14.0 then we are all done?

It does not have anything to do with Milkman's extensions? (I am using Google Play Games and AdMob)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Is it possible that the problem exists only for older AIR-apps which are still in the store?
I have multiple apps in the store. One was produced with Flash CC over 1,5 years ago

I also have absolutely fresh AIR-Apps in store.

The problem is that googles-Email don't say which app was exactly affected?

Maybe it is enough to rebublish the code with the actual version of Flash Prof CC?

Nimit, please give us some more information - thanks a lot!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Nimit, thanks for fast response with solution.

Going to be busy today to re-compile all my apps.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Maybe you need to read tha last post from Chris Campbell.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

I am a bit confused... The last AIR SDK I was using was 4.0.

This is 14.0? I don't get it 🙂

Should I just put it into my Flash folder and use "Manage AIR SDK" as I did before?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Yes, please use "Manage AIR SDK" and update with the latest AIR SDK.

Regards,

Nimit

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Hello Everybody

Thank you for your answers.

Nimitja I have more than 100 apps to update. I want to know 2 important things before I start to update all my apps. Because I want tobe 100% sure it is the problem.

Question 1: If I recompile my apps with the version 14.0.0.110 the bug will be fixed? Because I don't see any notes in that version about that.

Question 2: Do the bug come from the self signed certificate that we create with adobe air to publish our Android apps?

Question 3: Do we need to update the version of open SSL for our pc?


Thanks a lot for your help.

Robert

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines