[Resolved] Security problem with OpenSSL, app can be removed on Google Play whenever

forget721 · June 13, 2014, 12:23am

Hi guys,

I use cocos2dx3.0-final to make my game and published to Google Play store

Today I receive mail from Google Play.

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

How can I update OpenSSL?

Thanks

mdbanares · June 13, 2014, 1:03am

I have the same e-mail today. I think this issue has something to do with curl being compiled using OpenSSL. I think there’s a need to recompile that library using latest OpenSSL version. I’ll wait for more replies here.

mdbanares · June 13, 2014, 4:12am

Hello,

Checked on other sites and others are claiming that they also got similar emails from Google. They say that it could be 3rd party SDK using OpenSSL that’s causing this.

I’m using cocos2d-x 2.x version, Ad Mob, Google Play Services and EziSocial Facebook Integration library. I would appreciate if someone from cocos2d-x core team can confirm if this is an engine issue or not.

Thank you.

Iliyan · June 13, 2014, 6:24am

I also got the same email.

sloanwu · June 13, 2014, 6:47am

Who can help provide libcurl compiled by new openssl ?
http://www.openssl.org/news/secadv_20140605.txt

aeonphyxius · June 13, 2014, 7:04am

I also got the same email, and reading around I think is some third party library I am using.

As someone mention here, I am using Cocos2d-x2.2.3 and Ezisocial (with Facebook API).

Does someone know which of them is causing the problem?

sloanwu · June 13, 2014, 7:15am

I think the libcurl caused the problem.

mdbanares · June 13, 2014, 8:00am

I asked EziByte and they said that EziSocial is not using OpenSSL. Their only guess is that it could be Facebook SDK or cocos2d-x.

sloanwu · June 13, 2014, 8:19am

https://github.com/minggo/libcurl-build

http://www.openssl.org/

Upgrade the openssl-android to openssl 1.0.0m, and rebuild it.

dirtypolarbear · June 13, 2014, 8:25am

Can you give more detail instruction how to build it?
I think it’s a serious issue for all cocos2dx games and expected a simple way to patch this SSL security problem (e.g. update the libcurl.a) for all difference cocos2dx versions. Because some games are still running old version of cocos2dx.

sloanwu · June 13, 2014, 8:51am

I just find a solution but can’t build it. Hope cocos2d-x team can help fixing it, just upload a libcurl.a… Thank you!

Waiting for https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin update…

zhangxm · June 13, 2014, 9:18am

Thanks for feedback.
We will update it ASAP.

zhangxm · June 15, 2014, 6:32am

I have updated ssl to v1.0.1e. You guys can download them here.

I will update https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin soon.

Could somebody help to checkout if it can pass through google play.
Thanks.

zhangxm · June 15, 2014, 7:06am

Some developer said, v1.0.1h is needed.
So i had to update to v1.0.1h.

zhangxm · June 15, 2014, 7:53am

It is done. https://github.com/minggo/libcurl-build/tree/master/prebuild-with-ssl is updated to v1.0.1h.
And i will post it to https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin after it is confirmed.

zhangxm · June 15, 2014, 10:10am

https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin is updated too.
But you can just download zip files of updated curl here for convenience.

Anyone who can help to verify if it can pass through google play is appreciated.

Wuhao · June 15, 2014, 10:53am

forget721 · June 15, 2014, 3:39pm

Thanks for your attention.

I will apply this update and verify if it can pass through Google Play ASAP.

But I think this problem can occur on all platforms. Why only have update for Android?

And how to rebuild this lib?

Thanks

Jgod · June 15, 2014, 6:59pm

@zhangxm I uploaded an APK with your precompiled libs and my update went through fine.

*Btw: You can verify the version of openSSL your app is running by using BlueBox’s Heartbleed Scanner. Ignore the “Passed” indicator, as this new vulnerability isn’t Heartbleed – we’re just looking at the version number here: compare the version of your ssl before and after you replace it with @zhangxm 's static lib. *

zhangxm · June 16, 2014, 1:41am

@forget721
We will update iOS lib today or tomorrow.
Now iOS and Android is in different repo. And because curl building is complex, we will try to unify them and add a link here.

@Jgod
Thanks for your feedback.