Google Play: "vulnerable version of OpenSSL"

Report · Jun 12, 2014

Hi, Google Play just sent me a warning that my Android apps compiled in AIR 4.0 are "running an outdated version of OpenSSL, which has multiple security vulnerabilities."

I don't recall using OpenSSL for anything other than my Apple certificates. Is this something AIR itself would be responsible for, or possibly a native extension? I'm using several ad-based ones such as AdMob and Vungle, as well as in-app purchases.

Doesn't make any sense to me, so I don't know how to react to it. But apparently my apps "may be considered dangerous products and subject to removal from Google Play."

Report · Jun 12, 2014

I have done several AIR 4 Android apps, without seeing that error. We’re on AIR 14 now, you may as well try that, in case something got fixed along the way.

Report · Jun 12, 2014

Maybe it's an older app that has an older version of AIR. Google (as ever) were not specific: "one or more of your apps..."

I'd appreciate it if Adobe could speculate on which versions would be affected by this:
http://www.openssl.org/news/secadv_20140605.txt

Report · Jun 12, 2014

I have done several Google Play apps now, and never seen those errors. Is there any special feature, or ANE, that you’re using which could explain why you see that?

Report · Jun 12, 2014

I got the same message today.

Report · Jun 12, 2014

Hello,

Could you please update AIR SDK to our latest version 14.0.0.110 available at Download Adobe AIR SDK , please let us know if you will see any problem.

Regards,

Nimit

Report · Jun 12, 2014

Its not really an error being thrown. It's Google reaching out to devs. I got an email to from Google

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,

Google Play Team

All I can do is just update to Air 14 and wait and see if they tell me the issue still exist. My app has 3 ane from milkmangames. I know they just updated there ANEs too,so I got to update the ANEs in my app first then with 14, hopefully that will do it.

Report · Jun 13, 2014

Got the same email today from Google, no clue what it means.

Report · Jun 13, 2014

Please see the main thread : Re: Google play and Adobe air: Security Alert: You are using a highly vulnerable version of OpenSSL

Report · Jun 13, 2014

I have several apps in the Play Store, with several AIR versions, no ANE or plugins whatsoever, just plain AIR, and got that e-mail yesterday, so it must be something about AIR itself, don't know wich version could be responsible. Aparently everyone got the same mail yesterday, so far there's no answer from anyone in the web. I guess we should wait for Adobe to say something

Report · Jun 13, 2014

Thanks for the clarification, pedrodiegof - saves me having to chase up my various ANE providers.

Sounds like we have to upgrade to AIR 14.0 ASAP.

Report · Jun 13, 2014

Please see the main thread. It's likely that AIR 14 will not be sufficient.