Google play and Adobe air: Security Alert: You are using a highly vulnerable version of OpenSSL

Report · Jun 12, 2014

Hello

I just got a message from google play and they said that tehre is a vulnerable version of openssl. Now since I use adobe air to do my apps I was wondering how adobe air can comunnicate with openssl?

I'm using different version of adobe air since 1 years.

Here was the complete message:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

Do you know how to fix that problem?

Bobby

Report · Jun 20, 2014

ChivertonT wrote:

Can we assume that apps using the shared runtime option will be OK once the update is rolled out there ?

AFAIK, the shared runtime option can't be used in recent AIR versions, only with older versions (a few versions ago already).

Report · Jun 23, 2014

Apps using the shared runtime are not effected by the OpenSSL issue. You should be able to target your app for captive or shared runtime by using either the command line or via the deployment tab when exporting a release build in Flash Builder.

Report · Dec 18, 2014

Hi,

I used the new AIR SDK 16 (released december 2014), and I still get the warning about OpenSSL. Anyone else experiencing the same?

Thanks in advance,

Dries

Report · Dec 18, 2014

Same here.

I greped my APK as google instructed, found out OpenSSL version as 1.0.1i.

Google wrote: The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za.

...So, what's wrong with mine?

Report · Dec 19, 2014

You have to wait 1 day and the alert will disappear.

Report · Dec 20, 2014

I just got this error too. I haven't updated my apps in about a year so they might be vulnerable but why then didn't I get an email in June with everyone else?

Also, @hferreira.80@gmail.com, did you verify if the new SDK is faster?

Report · Dec 20, 2014

I see improvements from version to version.

Report · Mar 31, 2016

I recently got this email from Google saying my app is using the old version of Open SSL and is vulnerable to logjam attack?

I am using AIR SDK 20 for my app, does it have the fix for CVE-2015-3194?

The vulnerabilities include "logjam" and CVE-2015-3194. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. Details about other vulnerabilities are available here. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “OpenSSL.”

They're saying that the vulnerabilities were addressed in OpenSSL 1.02f/1.01r. Does Adobe AIR SDK have this version of OpenSSL?

Report · Mar 31, 2016

I just got the notice as well. I am in the process of updating apps anyway but not sure which SDK solves the issue.

Report · Apr 01, 2016

mola2alex wrote:

I just got the notice as well. I am in the process of updating apps anyway but not sure which SDK solves the issue.

Read the thread. 21.0 contains required OpenSSL version

Report · Apr 03, 2016

I got the same message, all my apps are using Adobe Air 21. But I am using the Admob ANE from Milkmangames on all of them. I am starting to get frustrated.

Report · Apr 04, 2016

Just to be clear- none of the extensions from Milkman Plugins embed the OpenSSL libraries at all. If you're sure your app is updated to the latest Adobe AIR SDK, double check your other apps as well- you might receive the warning email if App A is still using an outdated AIR SDK, even if App B has been updated.

-Alex, milkmanplugins.com

Report · Apr 04, 2016

Thank you for the clarification Alex.

It is an Adobe/Google issue. All my games are using Adobe Air 21.0.0.138, I downloaded the latest AIR SDK (21.0.0150) and updated one of my games. The warning didn't go away automatically, I had to dismiss it manually. So far the warning for that game have not come up again.

Report · Apr 04, 2016

I'm touching base with the team to make sure we've done everything right with AIR 21, then will be reaching out to Google. Hopefully we'll get to the bottom of this.

Thanks,
Chris

Report · Apr 18, 2016

Hi,

The warning signs reappeared again in my developer console, in front of each of my apps (most of them are made with AIR 19). I didn't receive an email from Google though. Do you also have this issue, even with latest AIR version?

Thank you!

Report · Apr 24, 2016

Hi,

I still have the warning on my dev dashboard, but no feedback here. Am I the only one experiencing this? Could you please confirm that upgrading to AIR 22 solves the issue? This is important, thank you very much for any reply.

Report · Jun 16, 2014

Hello Chris

Thank you very much for your answer. We have 3 others questions for you.

1- For the futur as we may have another problem like that, do shared runtime would fix that problem in the futur? So we will not be forced to update our apps with a new version of air everytime we have an Open SSL problem?

2- If we use shared runtime, do the mobile users will have different notifications in their mobile if the apps is with shared runtime instead of captive runtime?

3- Last one: How could we do this with Flash CS6 or Flash CC?

Thanks a lot Chris

Bobby

Report · Jun 16, 2014

1.Shared runtime solves the problem but forces users to download AIR from Google play if they dont have it on their device.

2.Same as 1

3.There is a tick box when publishing for android that allows setting to shared or captive runtime in CS6 dont know about CC never used it.

Report · Jun 17, 2014

Dear Chris,

thank you for your support so far. Could you please post a link in this forum thread as soon the beta version is available?

Regards,

Adrian

Report · Jun 18, 2014

Hi,

Is anyone using the Admob ANE from Code-Alchemy/AdMobAne · GitHub?

I am curious whether this Admob ANE is bundled with openssl or not. I have posted inthe issue column but seems the author is away for a while.

Generally, is Adobe ANE using openssl when bundling/packaging? Is it alright if i am just waiting for the Adobe AIR update?

Thanks in advance.

Report · Jun 18, 2014

I think the admob ANEs are OK since i have other apps that use the admob SDK that is part of Google GPS and these were not flagged by Google just Air apps. I got a list from Google which apps have the security flaw , they also said they will wait for me to apply the new AIR Runtime to my apps since i explained im waiting on Adobe to update it.

Report · Jun 18, 2014

Hi dappledore

That´s quite interesting. Can you let us know how you got the "list from Google which apps have the security flaw"??? That would be very useful to all of us.

Best,

Report · Jun 18, 2014

Thanks for your reply. I really hope that there are no other dependencies affected.

Right now seems the only way is to wait for the Adobe update.

Report · Jun 19, 2014

Hello Chris

Thank you Very much for your help and the beta version. I'm going to try it now.

Thanks again

Bobby

Report · Jul 09, 2014

So is this the appropriate version, that fixes the OpenSSL problem?

7/8/2014 - Release - AIR 14 Runtime and SDK

(I did not want to work with a beta so I waited for the release of the regular version)

This is the first time, that I get in contact with SDKs, which have to be installed manually. So I hope I made everything right. I use a Mac / Maverick.

First I tried it with the runtime for Mac, but this did not work. I have installed it, but it I was not able to choose it in FlashCC with the AIR SDK manager.

Then I tried the SDK & Compiler for Macintosh. I downloaded it and copied the folder (AIRSDK_Compiler) in the FlashCC folder and integrated it with the "+" Button of the AIR SDK manager of Flash. It seemed to work. Now I can choose AIR 14.0.0.137 for Android, IOS, or desktop in Flash CC.

Still I am a little bit concerned, if I did everything right. (No experience with AIR SDK installing).

I want to render my existing Android Apps again with the new and safe AIR version and update them in Google Play.

Did I install the right version in a valid way?