Highlighted

Google Play 60-day deadline for resolving OpenSSL vulnerabilities

Engaged ,
May 07, 2015

Copy link to clipboard

Copied

I just got an email from Google Play saying:

"""We wanted to let you know that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users. Please migrate your app(s) to an updated version of OpenSSL within 60 days of this notification. Beginning 7/7/15, Google Play will block publishing of any new apps and updates that use older, unsupported versions of OpenSSL (see below for details)."""

The apps list were built on Flash 2014 with different AIR SDKs: 16, 17, 18

I thought this issue was solved months ago.

Has anyone else received the same mail?

Best Regards

I got this mail today from GOOGLE PLAY:

"""

Recently we sent you a notification that one or more of your apps should be upgraded to more recent version of OpenSSL, due to security vulnerabilities. The notification was sent in error, and we thank you for previously making the necessary changes to your app.

We apologize for any confusion this may have caused.

Regards,

Google Play Team"""

TOPICS
Performance issues

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Google Play 60-day deadline for resolving OpenSSL vulnerabilities

Engaged ,
May 07, 2015

Copy link to clipboard

Copied

I just got an email from Google Play saying:

"""We wanted to let you know that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users. Please migrate your app(s) to an updated version of OpenSSL within 60 days of this notification. Beginning 7/7/15, Google Play will block publishing of any new apps and updates that use older, unsupported versions of OpenSSL (see below for details)."""

The apps list were built on Flash 2014 with different AIR SDKs: 16, 17, 18

I thought this issue was solved months ago.

Has anyone else received the same mail?

Best Regards

I got this mail today from GOOGLE PLAY:

"""

Recently we sent you a notification that one or more of your apps should be upgraded to more recent version of OpenSSL, due to security vulnerabilities. The notification was sent in error, and we thank you for previously making the necessary changes to your app.

We apologize for any confusion this may have caused.

Regards,

Google Play Team"""

TOPICS
Performance issues

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
May 07, 2015 0
Explorer ,
May 07, 2015

Copy link to clipboard

Copied

I'd say the mail has been sent to all those developers with apps that have ever used some vulnerable OpenSSL version, even if the current version doesn't. If you go to the Developer Console and you have some vulnerable App, you'll see a warning icon at the right margin, which pops up a security alert telling the App uses a vulnerable OpenSSL version.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 07, 2015 0
New Here ,
May 07, 2015

Copy link to clipboard

Copied

I received this email today, after having updated months ago also.
Where in the developer console would we the warning be visible ?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 07, 2015 0
New Here ,
May 07, 2015

Copy link to clipboard

Copied

"Alerts", in the left-hand menu. When we had the old OpenSSL versions, the apps were (correctly) flagged there.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 07, 2015 0
New Here ,
May 07, 2015

Copy link to clipboard

Copied

"Looks like everything is going well"

Capture.PNG

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 07, 2015 0
New Here ,
May 08, 2015

Copy link to clipboard

Copied

Ok, I got an apology email today saying they sent the warning to previously fixed applications and then attached an updated list of applications needed fixing. They are still listing one of my games there, which makes no sense as they all were compiled with the same AIR version, and yesterday I checked the strings in the APKs and they all have OpenSSL 1.0.1h. Could it be yet another mistake?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 08, 2015 0
New Here ,
May 08, 2015

Copy link to clipboard

Copied

I have also received an apology email, - which also thanks me for making the previous necessary changes.

We have two games that use AIR on the Google Play market, one was released prior to the revelation of heartbleed, one after. This may be significant, since the only app referenced in any of the warning emails we've gotten is the one which was released before heartbleed was found.

- The first warning email we received June 14th, 2014, we updated AIR and released the update.

- There was a second warning on December 17th, 2014. We did not update the application at this time. Also, our second app had been released prior to receipt of this notice. No specific application was referenced in this warning.

- The third warning was received yesterday May 7th, 2015. But it specifically references only the application released before June 14th 2014.

I am under the impression that the 3rd warning was a mistake because both applications are using the same version of AIR, but only one which is know to once have contained the vulnerability was referenced in the warning.

-neliorc, I would suspect there is a mistake based on what you've described, given my experience with second warning email. However, perhaps you should consider updating to 17 just in case?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 08, 2015 0
New Here ,
May 07, 2015

Copy link to clipboard

Copied

I got the warning too and my apps were updated months ago to OpenSSL 1.0.1h. I followed their instructions to check the OpenSSL version, and it's all good. Also no warnings in the Developer Console, so this was probably mass sent by mistake, without properly checking if the apps have been updated. Their wording is a bit harsh, so they should be careful when sending out these emails.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 07, 2015 0
Engaged ,
May 08, 2015

Copy link to clipboard

Copied

I got this mail today from GOOGLE PLAY:

"""

Recently we sent you a notification that one or more of your apps should be upgraded to more recent version of OpenSSL, due to security vulnerabilities. The notification was sent in error, and we thank you for previously making the necessary changes to your app.

We apologize for any confusion this may have caused.

Regards,

Google Play Team"""

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 08, 2015 0
Community Beginner ,
May 10, 2015

Copy link to clipboard

Copied

Hi Paul Darky,

I received the same warning message. However, I don't receive the second 'apology email'.

I have checked all the apps, they are using at least 1.0.1h (some 1.0.1i).

Similarly, there is no 'Alert' telling which app is the problematic one....

Hope everything is going well with this....

Can anyone confirm this?

Thanks in advance.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 10, 2015 0
Engaged ,
May 11, 2015

Copy link to clipboard

Copied

Hi appbeginer:

I suppose that sooner or later you will get the “apology email”. If you don´t have any alert seems it was also an error sending the mail to you.

Best,

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 11, 2015 0
Community Beginner ,
May 12, 2015

Copy link to clipboard

Copied

I really appreciate your response. I am still waiting for the email.

Hopefully it is just a mistake from Google (as the apps which i updated recently using adobe air 16 are blacklisted as well...).

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 12, 2015 0