[Resolved] Security problem with OpenSSL, app can be removed on Google Play whenever

[Resolved] Security problem with OpenSSL, app can be removed on Google Play whenever
0.0 0

#1

Hi guys,

I use cocos2dx3.0-final to make my game and published to Google Play store

Today I receive mail from Google Play.

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

How can I update OpenSSL?

Thanks


OpenSSL Security Alert Mail from Google Play for android apps
Open SSL Issue on Cocos2d-x Gplay
OpenSSL Security Alert Mail from Google Play for android apps
#2

I have the same e-mail today. I think this issue has something to do with curl being compiled using OpenSSL. I think there’s a need to recompile that library using latest OpenSSL version. I’ll wait for more replies here.


#3

Hello,

Checked on other sites and others are claiming that they also got similar emails from Google. They say that it could be 3rd party SDK using OpenSSL that’s causing this.

I’m using cocos2d-x 2.x version, Ad Mob, Google Play Services and EziSocial Facebook Integration library. I would appreciate if someone from cocos2d-x core team can confirm if this is an engine issue or not.

Thank you.


#4

I also got the same email.


#5

Who can help provide libcurl compiled by new openssl ?
http://www.openssl.org/news/secadv_20140605.txt


#6

I also got the same email, and reading around I think is some third party library I am using.

As someone mention here, I am using Cocos2d-x2.2.3 and Ezisocial (with Facebook API).

Does someone know which of them is causing the problem?


#7

I think the libcurl caused the problem.


#8

I asked EziByte and they said that EziSocial is not using OpenSSL. Their only guess is that it could be Facebook SDK or cocos2d-x.


#9

https://github.com/minggo/libcurl-build

http://www.openssl.org/

Upgrade the openssl-android to openssl 1.0.0m, and rebuild it.


#10

Can you give more detail instruction how to build it?
I think it’s a serious issue for all cocos2dx games and expected a simple way to patch this SSL security problem (e.g. update the libcurl.a) for all difference cocos2dx versions. Because some games are still running old version of cocos2dx.


#11

I just find a solution but can’t build it. Hope cocos2d-x team can help fixing it, just upload a libcurl.a… Thank you!

Waiting for https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin update…


#12

Thanks for feedback.
We will update it ASAP.


#13

I have updated ssl to v1.0.1e. You guys can download them here.

I will update https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin soon.

Could somebody help to checkout if it can pass through google play.
Thanks.


#14

Some developer said, v1.0.1h is needed.
So i had to update to v1.0.1h.


#15

It is done. https://github.com/minggo/libcurl-build/tree/master/prebuild-with-ssl is updated to v1.0.1h.
And i will post it to https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin after it is confirmed.


#16

https://github.com/cocos2d/cocos2d-x-3rd-party-libs-bin is updated too.
But you can just download zip files of updated curl here for convenience.

Anyone who can help to verify if it can pass through google play is appreciated.


#17

#18

Thanks for your attention.

I will apply this update and verify if it can pass through Google Play ASAP.

But I think this problem can occur on all platforms. Why only have update for Android?

And how to rebuild this lib?

Thanks


#19

@zhangxm I uploaded an APK with your precompiled libs and my update went through fine.

*Btw: You can verify the version of openSSL your app is running by using BlueBox’s Heartbleed Scanner. Ignore the “Passed” indicator, as this new vulnerability isn’t Heartbleed – we’re just looking at the version number here: compare the version of your ssl before and after you replace it with @zhangxm 's static lib. *


#20

@forget721
We will update iOS lib today or tomorrow.
Now iOS and Android is in different repo. And because curl building is complex, we will try to unify them and add a link here.

@Jgod
Thanks for your feedback.