Google play and Adobe air: Security Alert: You are using a highly vulnerable version of OpenSSL

Report · Jun 12, 2014

Hello

I just got a message from google play and they said that tehre is a vulnerable version of openssl. Now since I use adobe air to do my apps I was wondering how adobe air can comunnicate with openssl?

I'm using different version of adobe air since 1 years.

Here was the complete message:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

Do you know how to fix that problem?

Bobby

Report · Jun 13, 2014

Hi Robert,

Could you please share the platforms(PC's, iOS, Android) used in the 100 apps you have created as openSSL implementation is different for different platforms.

Regards,

Nimit

Report · Jun 13, 2014

Of course Nimitja

I used my pc and my pc is windows 8. I use Flash Pro cs6 version 12.0.2.529. I create my apps (Android and ios) with Adobe air since 13 months with différents adobe air version. Here they are:

Adobe air 3.8.0.900

Adobe air 3.9.0.1050

Adobe air 4.0.0.1390

Adobe air 4.0.0.1690

Adobe air 13.0.0.61

So as you can see I used different version of adobe air over the year.

Hope it can help.

Robert

Report · Jun 13, 2014

For mobile applications the AIR SDK 14.0.0.110 is enough and you don't need to update the openSSL on pc.

Regards,

Nimit

Report · Jun 13, 2014

nimitja wrote:

For mobile applications the AIR SDK 14.0.0.110 is enough and you don't need to update the openSSL on pc.

Regards,

Nimit

We are using captive runtime. Is OpenSSL 1.0.1g from the AIR SDK 14.0.0.110 enough then?

Report · Jun 13, 2014

The openSSL is bundled in the application so the captive application is also good to go. Hope the answer will help you.

Regards,

Nimit

Report · Jun 13, 2014

But Nimit you told us in the post above this

"We are aware of openSSL 1.0.1h version and the updated AIR SDK will be available soon."

and in the versionAir 14.0.0.110 the open SSL that you use is an old one look

adb.exe in AIR 14.0.0.110 seems to use OpenSSL 1.0.1c

$ strings lib/android/bin/adb.exe | grep OpenSSL

Big Number part of OpenSSL 1.0.1c 10 May 2012

RSA part of OpenSSL 1.0.1c 10 May 2012

So the latest version of your sdk is not good if we look about open ssl version vulnerability

What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

So AIR 14.0.0.110 use OpenSSL 1.0.1c which is vulnerable if we check heartbleed info

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

You should upgrade to the version 1.0.1h accorind to this https://www.openssl.org/news/secadv_20140605.txt

Your tought?

Report · Jun 13, 2014

premiums77 wrote:

adb.exe in AIR 14.0.0.110 seems to use OpenSSL 1.0.1c

The OpenSSL version of adb.exe does not matter, because the adb.exe is not used by the published app.

premiums77 wrote:

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

OpenSSL 1.0.1g is NOT vulnerable

OpenSSL 1.0.1g is affected by multiple security vulnerabilities: OpenSSL: OpenSSL vulnerabilities

I think the problem is the Open SSL 1.0.1g version of the air runtime or captive runtime. The mail from google does not refer to the heartbleed bug.

Report · Jun 13, 2014

openSSL(1.0.1g) updates are in the Runtime currently. ADB is different and has no role here to cause any vulnerability.

Regards,

Nimit

Report · Jun 13, 2014

Nimitja we don't understand what you are saying. It dosen't help and it dosen't answer my post above at all.

Please explain us better and tell us which version of open SSL use AIR 14.0.0.110 because if it use this

Big Number part of OpenSSL 1.0.1c 10 May 2012

RSA part of OpenSSL 1.0.1c 10 May 2012

we will still have that vulnerability and we will not solve anything with that version of AIR

Bobby

Report · Jun 13, 2014

If we look at the google play email they refer us to this url

https://www.openssl.org/news/secadv_20140605.txt

and it say

The attack can only be performed between a vulnerable client *and*

server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers

are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users

of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

So we really need to be upgrade to open SSL 1.0.1h if we read the google play email and refer to the openssl link they gave us.

Report · Jun 13, 2014

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

In my case, it was OpenSSL 1.0.1e 11 Feb 2013 when compiled with AIR 13 and it is now OpenSSL 1.0.1g 7 Apr 2014 (SDK 14.0.0.110).

Report · Jun 13, 2014

Nimitja a lot of people are waiting an asnwer to my last post.

The openSSL(1.0.1g) is not enough google play say that it takes the 1.0.1.h

Please asnwer us asap about that

Bobby

Report · Jun 13, 2014

Hello,

Just want to say that we also have received this message. We have over 200+ apps on Google Play. Some of them native and some using Adobe Air. This is a really hard job to do with two people if this is truly the case of updating our apps to the latest air sdk version. However, I have asked other developers and some of them received the same e-mail yet they were not using Adobe Air for their apps, they were using Native Java. Why did Google leave such a vague message on something very detrimental to us all if we do not get to the bottom of the issue?????

We have used so many different versions of Air SDK (since 2011) that its not funny. Starting from CS5 to CC. Some apps have captive runtime and some do not....

Also why did Google e-mail us developers for a issue like this when they should have contacted Adobe in the first place if it is truly the runtime issue??????

Report · Jun 13, 2014

Hello everyone,

Unfortunately, with renewed focus on OpenSSL , these types of updates might be with us for some time to come. However, as noted above, the current and proper version of OpenSSL is currently 1.0.1h. AIR currently ships with 1.0.1g so we do not recommend updating with this version when complying with Google's notification email. We plan on releasing a new beta SDK next week that will contain the 1.0.1h library. You can use this beta or wait till the next official release scheduled for July 8th when submitting updated apps to the Play store.

Thanks,

Chris

Report · Jun 13, 2014

So, all that nimitja said is worthless? The final answer is WAIT?

Report · Jun 15, 2014

@Paul Darky

So, all that nimitja said is worthless? The final answer is WAIT?

No, it wasn't worthless, don't be so harsh. It's true what he said about AIR 14.0.0.110 using OpenSSL 1.0.1g.

The problem is that the version we need is 1.0.1h and I guess he wasn't fully aware of that.

So if I understood correctly, Adobe will release a beta which includes 1.0.1h in the next days. If that's so, it's good, though I don't like using beta software for production apps.

Would it hurt if I wait until the final release? Does anyone know when really is Google's deadline?

Also, does this vulnerability affect iOS? (even though Apple hasn't sent any mail about this yet).

Thank you!

Report · Jun 15, 2014

That's the important question?

When ends the deadline for us? When will Google get active?

Is maybe time to wait for the official Air-Version or must we recompile asap with the upcoming Beta-Version?

Has anyone an information about Googles plans about this?

Report · Jun 18, 2014

You are right and I apoligize if my post seemed harsh.

Best,

Report · Jun 13, 2014

Hello,

Thank you for the response. We really appreciate that you guys are working on the issue!

However, we do not know for certain these very important things since Google is throwing this issue at US DEVELOPERS:

1. When is the deadline to correct our apps so that they comply with OpenSSL 1.0.1h?? I've got 200 or so it will take some time... every time ...

2. Could other frameworks that use an APK packager have the same issue (i.e. outdated Google SDK or NDK for Eclipse)??

3. How many times do we need to keep our Apps updated? What if we no longer have the ability to correct the apps and Google removes them even when the apps are unpublished (app suspension) and risk the issue of having our Developer Account terminated (since users can still download apps even when they are unpublished but not suspended if they downloaded them before like Flappy Bird?)

Please I encourage you all to use the live chat feature in Google Play Developer dashboard (11am - 5pm PST) Lets get this fixed on both sides!

Report · Jun 13, 2014

Where will I find the Beta-SDK? Can you be so kind to give a link?

Report · Jun 13, 2014

The latest AIR beta can always be found at: Adobe AIR 14 Beta | application development - Adobe Labs

I'll also make an announcement here: Flash Runtime Announcements when the beta is available next week.

Report · Jun 14, 2014

Hey Just received a response from Eric Davis from the Android Security Team from the Android Development Community Page on Google Plus on this issue:

Anyone else receive this e-mail from "Google Play Team"?Security Alert: You…

He writes

"Hi all,

I’m on the Android Security Team. In response to your questions:

(1) You can determine which apps are using OpenSSL via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL"")

(2) Please update the all statically linked versions of OpenSSL to 1.0.1h, 1.0.0m, or 0.9.8za.

(3) If you are using a 3rd party library that bundles OpenSSL, please notify the 3rd party and work with them to address this."

edit: a few other devs also discovered that it is the apks that are bundled with captive runtime instead of the ones using shared runtime which is anything potentially Air 3.6 and up.

Report · Apr 04, 2016

Chris, we are getting these notifications from Google play store again. Is it still not resolved?

Report · Jun 13, 2014

Chris are you serious july 8th? Google play will remove all the apps using adobe air from day one if we wait another 3-4 weeks. I really hope that your beta version will be available in the begining of next week if not every apps using adobe air will face big problem with their apps in google play.

Please again try to release the new beta ASAP.

Bobby

Report · Jun 13, 2014

keyeskeyamada - Those are good questions and if you find out from Google, it would be great if you could post back with the answers. From browsing this morning, it's clear that this email went out to more than just developers using the AIR SDK.

premiums77- July 8th is our normally scheduled release, however we're confident that next week's beta will be good to publish against. We'll do our best to get this out asap.