Wikitude

OpenSSL upgrade - Google Play notification

My apologies for the delayed reply. We've been hard at work to get the official release finished as soon as possible.

 

 

 

@Takamitsu Araki:

 

Your Android build errors are caused by using an android-cordova version pre 5.0.0. For now we require that you update to at least the 5.0.0 version. You can easily do this by running the following operations on the command line.

 

cordova platform remove android

cordova platform add android@5

 

The following issue tracked on github might provide some additional information:

 

https://github.com/Wikitude/wikitude-cordova-plugin/issues/105#issuecomment-174728414

 

Regarding your iOS build errors I cannot provide any information yet, but I will get back to you shortly.

 

 

@Lidya Agustina

 

I would recommend updating the Wikitude plugin using this procedure:

 

1. Download and extract the Cordova Plugin archive

2. Open your favourite terminal application and change your working directory to the root folder of your project

3. run "cordova plugin remove com.wikitude.phonegap.WikitudePlugin"

4. run "cordova plugin add <path_to_the_extracted_plugin_content>" (i.e. "cordova plugin add ~/Downloads/Wikitude_Cordova_Plugin_5-2-0_3-3-0_2016-06-08_15-10-41")

5. run "cordova build android --release"

6. check for the OpenSSL version again using grep

 

The resulting apk should now contain OpenSSL version 1.0.1r.

 

 

 

I will provide additional information regarding the outstanding issues as soon as possible.

The iOS related build issues should be fixed in the official release package which will be available today.

Please let us know if your issues are resolved or whether they persist after switching to the official release.

Hi,

Google Play sent out a message to every app owner yesterday with a notification that apps including OpenSSL library with a version lower than 1.0.1r or 1.02f will not be allowed after July 11th. The email roughly looks like the following:

Your app(s) listed at the end of this email utilize a version of
OpenSSL that contains one or more security vulnerabilities. If you
have more than 20 affected apps in your account, please check the
Developer Console for a full list.

Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as
possible and increment the version number of the upgraded APK.
Beginning July 11, 2016, Google Play will block publishing of any new
apps or updates that use older versions of OpenSSL. If you?re using a
3rd party library that bundles OpenSSL, you?ll need to upgrade it to a
version that bundles OpenSSL 1.02f/1.01r or higher.

The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. The latest
versions of OpenSSL can be downloaded here. To confirm your OpenSSL
version, you can do a grep search for ($ unzip -p YourApp.apk |
strings | grep "OpenSSL")."

 

The Wikitude SDK 5.1.x is using OpenSSL 1.0.1j which included a fix for the Heartbleed bug. The notification from 31st of March 2016  is new and Wikitude will provide an update to the Wikitude SDK in time, so customer and users of the Wikitude SDK are not affected by the security measurement by Google Play. This will be either a short-term maintenance release or included in the next feature release.

: Wikitude will include the latest OpenSSL 1.0.1 branch (at the moment 1.0.1s) in the Wikitude SDK 5.x (JavaScript) branch (likely to be 5.2.0). Older version of the Wikitude SDK (2.x, 3.x, 4.x) will not receive the update. Wikitude official extensions will also receive the update. The Wikitude SDK Native API and the Unity Plugin are not affected by this. At the moment we are looking at a release date end of April/early May.

 

: The final stable release 5.2.0/1.3.0 now includes OpenSSL 1.0.1r and resolved this issue. Please use only this and don't use any pre-release version of the SDK.

@ Lidya Agustina

 

I just created and built an app from scratch using the official 5.2.0-3.3.0 cordova release package from http://www.wikitude.com/download/.

The grep output of the resulting apk reads RC2 part of OpenSSL 1.0.1r  28 Jan 2016.

Are you positive, that you grep'd the information from the correct apk file? (<your_project_root>/platforms/android/build/outputs/apk/android-release-unsigned.apk for --release)

 

If so, I would like you to try to build an empty application and check the apk created thereby.

 

Please execute the following commands in your terminal of choice:

1. cordova create cordova_empty com.lidya.empty cordova_empty

2. cd cordova_empty

3. cordova platform add android@5

4. cordova plugin add <path_to_the_extracted_cordova_package>

 

The open the AndroidManifest.xml file in <project_root>/platforms/android/ with whatever text editor you fancy and change the android:minSdkVersion from 14 to 15.

 

5. cordova build android --release

6. cd platforms/android/build/outputs/apk/

7. unzip -p android-release-unsigned.apk | strings | grep "OpenSSL"

 

I would expect OpenSSL version 1.0.1r now.

 

I tested this using the latest cordova version (6.2.0).

 

Regarding iOS: I also created and built an empty application using the latest cordova-ios version (4.2.0) without any issues. I would recommend removing the cordova-ios package you currently have installed and reinstalling the latest one:

 

1. cordova platform remove ios

2. cordova platform add ios@4

@ Takamitsu Araki

Could you provide your config.xml file for me to have a look at?