Google play message: Security Alert: You are using a highly vulnerable version of Ope

Android Android Development
1

Hello

I just got this message by email and I was wondering if other people got this message and how to fix that problem?

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it’s unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

2

are you using scoreloop or similar service in your apps?

3

no I’m using only admob and chartboost in my game apps using adobe air

4

I just got this cryptic message as well.

It’s really annoying when they do things like this. They obviously know which apps are afected. How hard would it be to add it to the email?

5

I’ve received the same email from Google Play, I am using adMob only with AIR, I wonder what could be generating this error?

6

So it seems it has something with Adobe AIR. I have some AIR apps also. Maybe we should check with Adobe, where they’re using OpenSSL :slight_smile:

7

Do they use openSSL when we create a certificate? Mine is one year old I was wondering if it could be the problem

8

I’m also an Adobe AIR developer and got the same email. Check this:

Adobe Releases Security Updates for Flash Player and Air | US-CERT

It seems there’s a new version of the SDK, so we should recompile our games against it. Don’t know what to do about the ANEs, though.

9

Yeah, it sounds more like a certificate issue or something…

10

Can we create a new certificate and update our apps with that new certificate? I tought we were forced to use always the same certificate once you add an apps

11

I have installed this on one of my devices: https://play.google.com/store/apps/details?id=com.lookout.heartbleeddetector

then it says “The version of OpenSSL on your device is affected by the Heartbleed bug (1.0.1c), but the vulnerable behavior is not enabled.”

weird stuff

12

Yeah, I just ran a heartbleed check too.

I’m guessing, but I think Google is just flagging any app that includes a version of ssl older than about a week, which is 1.0.1h.

13

Ok, it seems we should wait for the AIR SDK update
https://forums.adobe.com/message/6454881

14

yeah we will wait until google play remove our apps…I hope Adobe will launch the new package to fis thix issue

15

Let’s hope they release the new SDK ASAP.

16

You can download the Beta with the fix at adobe: (Beta - AIR 14.0.0.125) Download Adobe AIR 14 Beta - Adobe Labs