• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
4

Google play and Adobe air: Security Alert: You are using a highly vulnerable version of OpenSSL

Guest
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

Hello

I just got a message from google play and they said that tehre is a vulnerable version of openssl. Now since I use adobe air to do my apps I was wondering how adobe air can comunnicate with openssl?

I'm using different version of adobe air since 1 years.

Here was the complete message:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

Do you know how to fix that problem?

Bobby

TOPICS
Performance issues

Views

38.9K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 128 Replies 128
Community Beginner ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

I just got off the chat with Google Play Developer Live Chat

I found out a few things from a very dry conversation.

1. Google is aware their execution of this e-mail has worried developers (a summary from the tsr). We need to contact them a lot more! So, in the upper right hand corner of the Developer Console, there is a question mark. CLICK it. Click on Live Chat, but make sure its between 11am to 5pm PST and please tell them your issue. Please copy and paste the e-mail you were sent that created this all in the first place. Socially blog and share this issue so that others are aware!

2. If you demand a list of apps affected, they will tell you how many and what apps via e-mail. You have to be persistent. Mine was 95. I know it was more but that leads me to #3

3. Not all Air SDK versions were affected. My older apps that were created/published against Air 3.2, 3.3, 3.4 and 3.5 were not on the list. However 3.8 and up were which included the latest game I added that was using 13. Probably because those were the ones that included captive runtime and the others did not. The older games I updated a few months ago showed up, but the paid ones, since they were not updated did not show up unless they were newer apps.

4. This can get very ugly if Google just issues the notices and carries out removing apps without full explanation. We are not the only ones with this issue, yet they (the google reps) are telling us to search the internet to find a solution to correct the apps.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

It´s a shame that google developers are treated this way. All this seems like it was intended to create panic...

Saying: """"One or more of your apps is running an outdated version of OpenSSL...""" instead of letting us know WHICH specific apps are in trouble, makes me think that Google Play managers don´t appreciate the work we do. We all pay for a Google Developer account and each account should show which apps are in trouble and specify the reason(s) why they are in trouble.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 16, 2014 Jun 16, 2014

Copy link to clipboard

Copied

keyeskeyamada wrote:

We need to contact them a lot more! So, in the upper right hand corner of the Developer Console, there is a question mark. CLICK it. Click on Live Chat, but make sure its between 11am to 5pm PST and please tell them your issue.

I can't see that "Live Chat" option in the menu that pops up when clicking the question mark icon in the Developer Console. Maybe it's only for the U.S.?

So, can anyone who can access that live chat ask if there is a strict deadline for complying?

Thank you!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

Hi,

Do you have any clue about apps created with AIR 3.6 with shared runtime? AIR 3.6 still had the choice to "GET AIR RUNTIME FROM GOOGLE PLAY".

I had published most of my apps with AIR 3.6 and I have asked twice to if he can let us know if these apps would be OK for Google, but haven´t got any answer.

Thank´s for all the info you have provided.

Best.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Thank you so much Chris. Waiting for the new beta.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jun 13, 2014 Jun 13, 2014

Copy link to clipboard

Copied

Just want to be clear , ANEs don't need to be recompiled with the new version do they? since its the runtime only? Im  using FreshPlanet  and StickMan ANEs .

Regards,

David

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jun 14, 2014 Jun 14, 2014

Copy link to clipboard

Copied

Good question. If ANE is also need to recompiled. Then, it would be a huge mass, since many ANEs may not notice an update is needed, or not even care to update...

And Adobe Gaming SDK need to be updated too!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 14, 2014 Jun 14, 2014

Copy link to clipboard

Copied

I'm sure we can count on Adobe help! We are looking forward to receive the notification for the comin up days. This is a crucial fix for all of us !!!!!!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 15, 2014 Jun 15, 2014

Copy link to clipboard

Copied

So what would be the best course of action? Should we update our apps with the Air 14.0.0 or should we wait for the new sdk with the OpenSSL 1.0.1h? Also is there any way I can check the OpenSSL of my android apps. I hope that we won't have to update our ANE's as well. The problem is that we as developers are kept in the dark and nobody would want to get an account termination email from google play .

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Jun 16, 2014 Jun 16, 2014

Copy link to clipboard

Copied

If you carefully read every post you will understand ...

The last final AIR version 14 uses OpenSSL 1.0.1g that is not enough to satisfy the new Google Play requirements.

Chris, said that they will release a new beta (new build after the last final 14) with this issue fixed and should be good enough despite the beta stamp. You can use this beta release (personally I always use final releases except mandatory cases like this one) or you can wait for the next final release (I suppose that should be version 15) at your own risk since we don't know the Google dead line.

About the ANEs they don't have AIR embed so I don't see any problem unless they use OpenSSL at their own.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 16, 2014 Jun 16, 2014

Copy link to clipboard

Copied

Helo Chris

Do you have any date for us for the release of the beta with Open SSL 1.0.1h so we can tell google about it? Because right now they don't know that we can't do anything to solve that problem.

Thanks to let us know.

Bobby

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 16, 2014 Jun 16, 2014

Copy link to clipboard

Copied

premiums77 - We're hoping for Wednesday afternoon (GMT-7).  I'll let you know if this changes.

hferreira.80@gmail.com - I'll try and get a full change list, but my hope is that there are minimal changes between 14.0.0.110 and the beta this week.  Our next official release, on July 8th, will be a minor update to AIR 14.  AIR 15 won't be available till September.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 17, 2014 Jun 17, 2014

Copy link to clipboard

Copied

Hi Chris,

In a post above from , it says that:

""""Hey Just received a response from Eric Davis from the Android Security Team from the Android Development Community Page on Google Plus on this issue:

Anyone else receive this e-mail from "Google Play Team"?Security Alert: You…

He writes

"Hi all,

I’m on the Android Security Team.  In response to your questions:

(1) You can determine which apps are using OpenSSL via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL"")

(2) Please update the all statically linked versions of OpenSSL to 1.0.1h, 1.0.0m, or 0.9.8za.

(3) If you are using a 3rd party library that bundles OpenSSL, please notify the 3rd party and work with them to address this."

edit: a few other devs also discovered that it is the apks that are bundled with captive runtime instead of the ones using shared runtime which is anything potentially Air 3.6 and up.""""

Could you let us know if that really solves the issue? I have edited several of my apps using Air 3.6 with shared runtime, so knowing that´s true I wouldn´t have to worry about those apps.

Best,

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

Um ... it's long past GMT-7 ... can we hope for the new beta sometime in the next couple days? Respectfully,

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

Hi Chris,

It´s me again with this issue that I think it´s important for a lot of us:

In a post above from , it says that:

""""Hey Just received a response from Eric Davis from the Android Security Team from the Android Development Community Page on Google Plus on this issue:

Anyone else receive this e-mail from "Google Play Team"?Security Alert: You…

He writes

"Hi all,

I’m on the Android Security Team.  In response to your questions:

(1) You can determine which apps are using OpenSSL via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL"")

(2) Please update the all statically linked versions of OpenSSL to 1.0.1h, 1.0.0m, or 0.9.8za.

(3) If you are using a 3rd party library that bundles OpenSSL, please notify the 3rd party and work with them to address this."

edit: a few other devs also discovered that it is the apks that are bundled with captive runtime instead of the ones using shared runtime which is anything potentially Air 3.6 and up.""""

Could you let us know if that really solves the issue? I have edited several of my apps using Air 3.6 with shared runtime, so knowing that´s true I wouldn´t have to worry about those apps.

Best,

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

chris.campbell wrote:

premiums77 - We're hoping for Wednesday afternoon (GMT-7).  I'll let you know if this changes.

We ran into a snag when building the runtime components that has caused our beta to be delayed.  We have the components built now and QA will be working through the night to verify no major injections have occurred.  If that goes well, then we expect to release the beta tomorrow (Thursday).

Paul Darky wrote:

Could you let us know if that really solves the issue? I have edited several of my apps using Air 3.6 with shared runtime, so knowing that´s true I wouldn´t have to worry about those apps.

From what I understand, this issue should only apply to applications built using the captive runtime.  If anyone has any information that contradicts this, please let us know asap.

Thanks,

Chris

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

Thank´s Chris. It would be very helpful to be assured that this issue should only apply to applications built using the captive runtime. As Google is not informing each developer WHICH apps have to be updated, this info would save a lot of work to some of us.

Best,

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

#1 - You can e-mail google play support (googleplay-developer-support@google.com or use the contact form in the developer dashboard which is in the right top hand corner...its a question mark) for them to e-mail you a list of apps upon request. If you used air and packaged apks from version 3.6 and up they will be on this list if you used Captive Runtime.

#2 - Chris Campbell I received an e-mail from google play support in response to the e-mail that they sent me with my list. I asked them about the deadline and heres what they said to me:

Hi Keyeske,

Thanks for getting back to me.

I do not have a date I can share with you at the moment. That being said, we encourage all developers to prioritize upgrading to a newer version of OpenSSL in order to protect their users.

Hope this helps. Please let us know if we can help with anything else.

So looks like no deadline as of yet but its urgent. Kind of a soft critical warning. Had me in panic rage for a few days just to receive a wonderful please don't panic we haven't set a deadline sort of e-mail haha. We should get well acquainted with the folks at Google and contact support often so we can get better information and notice warnings in the future. I wish I could have the ability to go to Google I/O and ask questions like this at their Google Play Store Developers fireside chat... can't ask when I'm watching it through stream.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

Thank´s for your help keyeskeyamada


I already sent them an email asking for a list of my apps which are be affected by this issue. As soon as I receive an answer I will let you all know if AIR 3.6 shared runtime apps are not in the problem.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

This may help someone else:

Thanks to ´s advices I sent an email to googleplay-developer-support@google.com (several times) asking for a list of my apps which are be affected by this issue. After sending the SAME EMAIL SEVERAL TIMES they answered this:

""""

Hello,

Thanks for contacting Google Play Developer Support about the security alert you have received with regard to using highly vulnerable version of OpenSSL.

We understand that you would like to know which of your apps are impacted. Please find the list below:

air.com.musycom.EarTraining1

air.IDENTBAJO

air.IL.A0

air.LecturaMusicalPracticaPRO

air.Notas.de.la.Guitarra

If you are working with a 3rd party, Please work with them to address this.

We are recommending that you visit developer support forums and IRC chat communities where developers help each other solve development-related issues.

Hope this helps. Please let us know if we can help you with anything else.

Regards,

Audrey

Google Play Developer Support""""

Just to let you know: I have more than 60 apps on GOOGLE PLAY and the ones affected by this issue are just the ones that were published with AIR runtime integrated.

I think this will save a lot of time to some of you.

Thank´s again to

Best Regards,

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

Just for the record, this is the answer I've received:

Thank you for your message.

The current deadline is "asap".

We are aware of the upcoming Adobe update, so please do not worry that your apps will be removed before that.

If I can be of any further assistance, please let me know.

Best regards,

So they know about this. We just have to wait a bit...

For the impatient, I guess compiling with an old version of AIR which allows shared runtime would solve the issue as well, but it's annoying for users to have to download a separate package after downloading your app, and might put some users off. So I prefer to use captive runtime.

Anyway, Google is not going to remove our apps before Adobe releases its updated SDK, so don't worry.

Best regards.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jun 19, 2014 Jun 19, 2014

Copy link to clipboard

Copied

The latest beta, with OpenSSL 1.0.1h, is now available on labs.adobe.com.  Thank you guys for your patience and please let us know if you run into any issues.

6/19/2014 - Beta - AIR 14.0.0.125

Thanks,

Chris

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Jun 19, 2014 Jun 19, 2014

Copy link to clipboard

Copied

Hi Chris,

Thank you very much. Already updated in 2 Android apps.

Am I see thinks (my imagination) or the new Android 14 it's blazing faster comparing to AIR 13. I already saw native app much more slower !?

This is the second update that I see improving performance without info about in the release notes but this time was amazing faster.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jun 19, 2014 Jun 19, 2014

Copy link to clipboard

Copied

Thanks very much!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 20, 2014 Jun 20, 2014

Copy link to clipboard

Copied

Can we assume that apps using the shared runtime option will be OK once the update is rolled out there ?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines