Monday, April 6, 2015

Google Play Security Alert You are using a highly vulnerable version of OpenSSL !

Seriously, the Gmail message with this title "Security Alert: You are using a highly vulnerable version of OpenSSL" freaked me out yesterday. Below shows the details of the message:

Hello,
One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.
Please note, while its unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
Regards,
Google Play Team

I am sure I am not the only one suffering from this threatening message. A quick search brings me to this Adobe AIR forum thread. From my understanding of the discussion in the forum, it is the inconsistency of the OpenSSL version in the apps that triggers this unfavorable announcement. As noticed,

OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
However, at the time of writing, the Adobe AIR 14 only deploys the OpenSSL 1.0.1g, which is still potentially not the qualifying version. Meaning? Most of the Adobe AIR developers are affected.

What is worse is that, Google Play doesnt provide any timeline info about how long the buffer is before taking any action. Meanwhile, the Adobe AIR staffs couldnt promise an exact date for another stable and problem-free release. THAT MAKES THE CHAOS!

We realize the potential harms due to the outdated OpenSSL applied, and the urgency to update the apps as soon as possible. However, at the same time, we hope the Google Play could be more polite and transparent in conveying the message to us. For example, which apps are affected? And what is more disturbing is that, we have no idea whether the OpenSSL issue could be be caused by other dependencies such as the third-party Adobe ANE.

What to do now? Lets keep our finger crossed and hope the Adobe AIR could update us as soon as possible...

Update on 2014-06-20 
The latest Adobe AIR 14.0.0.125 with the updated OpenSSL 1.0.1h is available NOW. Although it is a beta version, it has at least solved the "Security Alert" issue.