URGENT PROBLEM! Google Play warning for removal because of openSSL version!

Hi,

I have an urgent problem!

I get a warning on the Google Play Developer Console that the game may be subject to removal from Google Play because of the vulnerable openSSL version:

" Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities. You should update OpenSSL as soon as possible.The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep “OpenSSL”"). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt.To confirm that you’ve upgraded correctly, upload the updated version to the Developer Console and check back after five hours.Please note, while it’s unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Our openFrameworks version is 0.8.0. I see that openSSL distributed with oF is precompiled for Android. And its version is 1.0.0a. I understand from the openSSL news page given above that openSSL needs to be updated to 1.0.0m.

What I have to do now? How to upgrade openSSL to 1.0.0m? Could someone please help me to do the job?

We are currently working on updating all of the included libraries for the 0.9.0 release. We do this using the “apothecary” scripts. @arturoc recently updated the android scripts to build openSSL 1.0.1j.

I’d recommend getting this branch:

https://github.com/openframeworks/openFrameworks/pull/3451

And running the apothecary scripts for both openSSL and then Poco (which links against openSSL). The apothecary scripts will then install the new libs / headers in the right places.

The only downside is that this currently has only been tested with the master branch … and if your app was last compiled w/ 0.8.0 you might run into some issues …

That said, you might be able to grab the apothecary scripts library drop it into the 0.8.0 distro and run the apothecary scripts to rebuild /install the updated Poco/openSSL libs … but your milage may vary as everything with apothecary is still in under active development …

This is a super important issue though, so we’ll try to be helpful :smile:

hey @bakercp,

Thanks for the quick reply.

Sounds like bad news for c++ newbie…

Ok, anyway i am now downloading the new master. I will copy the Apothecary scripts into of080, and will try to rebuild the openssl and poco with the help of apothecary scripts.

Give it a shot – here’s a checklist:

  1. Check out the apothecary docs https://github.com/openframeworks/openFrameworks/tree/master/scripts/apothecary
  2. Make sure you have your android paths set https://github.com/openframeworks/openFrameworks/blob/master/libs/openFrameworksCompiled/project/android/paths.default.make
  3. Make sure you pull in (or just use) this branch https://github.com/bakercp/openFrameworks/tree/apothecary-poco-libs
  4. If you choose to try 0.8.0 first, grab the entire scripts/apothecary directory from the branch in step 3 and drop it into the scripts/apothecary folder in your 0.8.0 folder.
  5. In the scripts/apothecary folder run:
./apothecary -t android update openssl
./apothecary -t android update poco
  1. Cross your fingers :slight_smile:
2 Likes

First. i run;

./apothecary -t android update openssl

It works and i get the message

Finished "openssl"

But compiled only for armeabi-v7a and x86. How to compile also for armeabiv5?

Second. I run;

./apothecary -t android update poco

I get an error message:

Preparing "poco"

Auto-config: --toolchain=arm-linux-androideabi-4.6
Host system 'linux-x86' is not supported by the source NDK!
Try --system=<name> with one of:  linux-x86_64
 ^ Received error ^

Where to change this “system” variable?

EDIT:

Addition to the SECOND question:
How to change arm-linux-androideabi-4.6 to 4.8?

It looks like openssl is being compiled only for v7 and x86. You can probably modify the script to also build the v5 version … not sure why it isn’t there – @arturo is v5 still supported?

It looks like Poco is being installed with these three archs:

Not exactly sure about your poco error … what OS / arch are you using to compile and what toolchain are you using?

I believe you can change your android toolchain by getting the latest from android and updating your android.paths file https://github.com/openframeworks/openFrameworks/blob/master/libs/openFrameworksCompiled/project/android/paths.default.make

That said … I’ve have not done much android development … so my knowledge is getting a little thin …

ping @theDANtheMAN @arturo

My computer’s os is Ubuntu 12.04 64bit
Android ndk version r9b

configuration lines from config.android.default.mk:

PLATFORM_DEFINES = ANDROID
NDK_PLATFORM = android-17
SDK_TARGET = android-17
GCC_VERSION = 4.8

oh, and why i upgrade poco? The Google Play warning is only for openSSL. Is the poco library linked to openSSL as well?

I added necessary codes into formulas/openssl.sh to build the library against armeabi v5. I compiled it under oF080. I didn’t touch poco.

Then I tested our android game with updating it to the new openssl. It looks like it works. I don’t notice an error or difference.

Is there a spesifical usage of openssl that I have to check (especially related to poco)?
(+ can anyway still somebody help me to upgrade poco as well?)

arm v5 won’t be supported any more from 0.9 all new phones with arm have arm7 and old phones with arm5 won’t support most OF apps anyway, i’ve released a couple of apps with armv7 at least 2 years ago and never received a complain that it wasn’t working for some device.

and yes poco depends on openssl so if you change the version of openssl you’ll need to recompile poco.

also openssl is used in OF to download urls thorugh https, so unless you are using some kind of https server through poco your app shouldn’t have any security vulnerability associated with openssl

I need to update openssl to the latest version. I updated it via apothecary. But how to update poco? Did you see the error I get when trying to update poco via current formula?

haven’t tried to recompile poco for android yet. have you tried to use the old one? if the headers haven’t changed much or you are not using any function that might have changed it should work too

@arturo it doesnt seem the headers are the problem in my case, but the toolchain and os names sent to ndk. Here is the error I receive when I try to upgrade poco via apothecary:

Preparing "poco"

Auto-config: --toolchain=arm-linux-androideabi-4.6
Host system 'linux-x86' is not supported by the source NDK!
Try --system=<name> with one of:  linux-x86_64
 ^ Received error ^

Please read the error message above. It writes 4.6 and linux-86. I am on Ubuntu 64bit and my openFrameworks is configured to use arm-linux-androideabi-4.8. So I somehow need to change 4.6 to 4.8 and linux-x86 to linux-x86_64. Where to fix that?

what i meant is that i would try to only recompile openssl without recompiing poco since it’s possible that it would work.

@arturo,
I did it yesterday.

  • I recompiled (thanks to apothecary) only openssl without recompiling poco.
  • Then i recompiled the apk with the oF080 including new openssl.
  • Apk’s openssl version is succesfully changed from 1.0.0a to 1.0.1j
  • I tested the game, it seems everything works.
  • Then I uploaded the new apk to the Google Play. The removal warning disappeared.

But i am still looking for upgrading poco as it may cause some other untested problems.

Plus a side note; as the previous version of openssl is vulnerable, i think it should be renewed in all newer openFrameworks distributions on all platforms.

The issue is resolved for now.
Thanks to @bakercp for helpful guidance about the new usefull apothecary mechanism.

I have the same problem with Google Play Store.
The exact message in the developer console is : “Security alert - Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities. You should update OpenSSL as soon as possible.”
Do I have to reproduce the steps from this thread or is it ready in the last OF release ?

No, OF’s current openssl is the older version.

I compiled a newer version of openssl for Android with the help of apothecary system. Then I recompiled our game with this new one and Google Play warning disappeared. I didn’t update all openframeworks’ openssl libs, while thinking i might break something in the other platforms. But I have the recompiled version for Android. If you need I can share it with you. Or you can recompile it yourself with using the apothecary system.

The forum has 2MB file limit. That’s why I uploaded the recompiled 1.0.1j version to Github. If you need you can download it from the link below:

openSSL 1.0.1j lib for Android

Thank you ! I’ll try and tell you how it goes.