Start a new topic

SSL vulnerability

SSL vulnerability


Hi,

I've received this e-mail from Google Play Team:

---

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered ?dangerous products? and subject to removal from Google Play.

---

After investigation I detected that wikitude library uses OpenSLL 1.0.1c. It is recognized as vulnerable. 

Even those vulnerable function doesn't used by library, I son't know how to convince Google Play team in safety and security of my app.

I risk my app to be removed from Google Play.

Can you consider using OpenSLL 1.0.1h instead of OpenSLL 1.0.1c ?

 

PS. I'd bought key for my app - com.osmino.wifil

We are aware of this issue and will provide a resolution for this very soon. 

The just published version of the Wikitude SDK in the Developer Release Channel uses an latest available version of openssl (1.0.1h) and should comply to Google's security advisory. You can download it from the Developer Release Channel

Hello,

I had downloaded the new wikitude sdk from developer channel.(WikitudeSDK_Android_3.3.2_2014-06-18_17-07-51).and integrated with my project, then i checked openssl version by using unzip and strings command. I obsereved that wikitude is still using openssl version 1.0.1c.

I checked the same thing with wikitude sample it is showing as it is linked with openssl version 1.0.1c.

Command:-

$ unzip -p /cygdrive/d/WikitudeSDKSamples.apk | strings | grep "OpenSSL"

Output:-

/Users/simonfriesenbichler/ArchitectCoreCurl/Android/OpenSSL1.0.1cForAndroidStat icLib/ssl/s2_clnt.c

/Users/simonfriesenbichler/ArchitectCoreCurl/Android/OpenSSL1.0.1cForAndroidStat icLib/ssl/s2_lib.c

/Users/simonfriesenbichler/ArchitectCoreCurl/Android/OpenSSL1.0.1cForAndroidStat icLib/ssl/s2_enc.c

/Users/simonfriesenbichler/ArchitectCoreCurl/Android/OpenSSL1.0.1cForAndroidStat icLib/ssl/s2_pkt.c

Can you please look into this and give some more information regarding this issue.

 

 

Thanks and Regards,

Jayawant Jagtap

 

 

Thanks for the check. You are right, that in the Developer Release Channel from 18.06.2014 the SDK still contains parts of version 1.0.1c. The updated Developer Release Channel from 20.06.2014 now only inludes 1.0.1h (see below)

unzip -p WikitudeSDK_Android_3_3_2/Examples/apk/WikitudeSDKSamples.apk | strings | grep OpenSSL | grep 1.0.1

OpenSSL 1.0.1h 5 Jun 2014

/.gitrepo-trunk/ArchitectCoreCurl/Android/OpenSSL1.0.1hStaticLib/ssl/ssl_cert.c

/.gitrepo-trunk/ArchitectCoreCurl/Android/OpenSSL1.0.1hStaticLib/ssl/ssl_sess.c

/.gitrepo-trunk/ArchitectCoreCurl/Android/OpenSSL1.0.1hStaticLib/ssl/ssl_ciph.c

/.gitrepo-trunk/ArchitectCoreCurl/Android/OpenSSL1.0.1hStaticLib/ssl/ssl_rsa.c

/.gitrepo-trunk/ArchitectCoreCurl/Android/OpenSSL1.0.1hStaticLib/ssl/ssl_asn1.c

 

Please update to Developer Channel Release 20.06.2014
Login or Signup to post a comment