I get a warning on the Google Play Developer Console that the game may be subject to removal from Google Play because of the vulnerable openSSL version:
" Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities. You should update OpenSSL as soon as possible.The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep “OpenSSL”"). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt.To confirm that you’ve upgraded correctly, upload the updated version to the Developer Console and check back after five hours.Please note, while it’s unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
Our openFrameworks version is 0.8.0. I see that openSSL distributed with oF is precompiled for Android. And its version is 1.0.0a. I understand from the openSSL news page given above that openSSL needs to be updated to 1.0.0m.
What I have to do now? How to upgrade openSSL to 1.0.0m? Could someone please help me to do the job?
We are currently working on updating all of the included libraries for the 0.9.0 release. We do this using the “apothecary” scripts. @arturoc recently updated the android scripts to build openSSL 1.0.1j.
And running the apothecary scripts for both openSSL and then Poco (which links against openSSL). The apothecary scripts will then install the new libs / headers in the right places.
The only downside is that this currently has only been tested with the master branch … and if your app was last compiled w/ 0.8.0 you might run into some issues …
That said, you might be able to grab the apothecary scripts library drop it into the 0.8.0 distro and run the apothecary scripts to rebuild /install the updated Poco/openSSL libs … but your milage may vary as everything with apothecary is still in under active development …
This is a super important issue though, so we’ll try to be helpful
arm v5 won’t be supported any more from 0.9 all new phones with arm have arm7 and old phones with arm5 won’t support most OF apps anyway, i’ve released a couple of apps with armv7 at least 2 years ago and never received a complain that it wasn’t working for some device.
and yes poco depends on openssl so if you change the version of openssl you’ll need to recompile poco.
also openssl is used in OF to download urls thorugh https, so unless you are using some kind of https server through poco your app shouldn’t have any security vulnerability associated with openssl
@arturo it doesnt seem the headers are the problem in my case, but the toolchain and os names sent to ndk. Here is the error I receive when I try to upgrade poco via apothecary:
Host system 'linux-x86' is not supported by the source NDK!
Try --system=<name> with one of: linux-x86_64
^ Received error ^
Please read the error message above. It writes 4.6 and linux-86. I am on Ubuntu 64bit and my openFrameworks is configured to use arm-linux-androideabi-4.8. So I somehow need to change 4.6 to 4.8 and linux-x86 to linux-x86_64. Where to fix that?
I have the same problem with Google Play Store.
The exact message in the developer console is : “Security alert - Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities. You should update OpenSSL as soon as possible.”
Do I have to reproduce the steps from this thread or is it ready in the last OF release ?
I compiled a newer version of openssl for Android with the help of apothecary system. Then I recompiled our game with this new one and Google Play warning disappeared. I didn’t update all openframeworks’ openssl libs, while thinking i might break something in the other platforms. But I have the recompiled version for Android. If you need I can share it with you. Or you can recompile it yourself with using the apothecary system.