OpenSSL Google Security Alert

Hi,

I just go this warning today from Google:

Security alert

Your app is using a version of OpenSSL containing a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

How to address OpenSSL vulnerabilities in your apps

This information is intended for developers of apps statically linking against a version of OpenSSL that precedes 1.02f/1.01r.  These versions contain security vulnerabilities.  

Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as possible and increment the version number of the upgraded APK.

Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL.  

The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. The latest versions OpenSSL can be downloaded here. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep “OpenSSL”).

If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher.

To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.  

The vulnerabilities include “logjam” and CVE-2015-3194. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. Details about other vulnerabilities are available here. For other technical questions, you can post toStack Overflow and use the tags “android-security” and “OpenSSL.”

While these issues may not affect every app that uses OpenSSL versions prior to 1.02f/1.01r, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.

Before publishing apps, please ensure they are compliant with the Developer Distribution Agreement and Content Policy. If you feel we have sent you an OpenSSL warning in error, contact our support team through the Google Play Developer Help Center.

Which version of CoronaSDK are you using?  What operating system are you using?

Corona SDK Enterprise v2016.2830  I’m developing on Windows 7.

Thanks, Greg

I got the same thing… The plugin needs upgrading

I got the same warning from Google today…

I got same email from Google.

Here is the log of Corona SDK.

Copyright © 2009-2016  C o r o n a   L a b s   I n c .
4月 01 04:30:08.284:     Version: 3.0.0
4月 01 04:30:08.284:     Build: 2016.2839
4月 01 04:30:11.622: lua-openssl version: 0.0.5    Lua 5.1    OpenSSL 1.0.1j 15 Oct 2014
 

I got the email too. Yesterday I noticed a shed load of apps with warning messages on the dashboard. Won’t be able to update or add any new apps with this current ssl version after July.

Same here, built using Corona SDK Enterprise v2016.2830 on OSX Yosemite. As adrianm says, perhaps the plugin needs upgrading.

Same email here. I only use OpenSSL for local encryption (not communication, which is where I believe the security vulnerabilities lie), but Google does not recognize that distinction. 

By the way, if the OpenSSL library could be updated to also be compatible with running in the iOS Simulator (it currently causes an error, as has been mentioned here before), that would be even better.

Same here yo1… Don’t want anyone with a text editor and root privileges giving themselves free iaps!

Engineering is aware of this and are investigating solutions.

Just want to +1 this.  Need this plug-in updated.

Just want to +1 this.  I only use OpenSSL for local encryption but google does not care

Ive just been working on a jason>string mangler/demangler, with verification. Ill add one more pass to it tomorrow then i can do away with SSL plugin. 

Rob, any update on updating the OpenSSL plugin? Normally would be more patient but those of us using it are up against a deadline with Google and will need to find a work around if Corona is not able tp update it quick enough.

The deadline is July 11, 2016. That’s over 3 months away. Our engineers need time to access the issue and make sure we get a solid solution out to you. We are quite aware of this and we will be working to fix it. We understand your desire to get this solved sooner than later, but we hope you understand we need need time to research this and give you a non-rushed solution.

Rob

There is an alternative way for the impatient like me.

You get your save table, converted to json. Convert it to a string, mangle it up and use that to save. On load you un-mangle it and it works a treat. I can supply an example and you can use that as a base if anyone is interested. The only downside is that if you removed the plugin, you wont be able to open up any existing games saves. The plan to that is to keep the plugin AND the new method on next apk update so i can load the save data and convert it to my new save data format. Then I will have to update the apk again with the plugin removed. 

Rob,

I completely understand, We have a lot of apps affected and we don’t want to be 3 months down the road and rushing to implement a solution as we will “need time to access the issue and make sure we get a solid solution.”

Thanks for the update.

Thanks for the suggestion. This is very similar to my Plan B. Iam hoping not go this route which is why getting an idea of the timeline for Corona to fix this issue is a deciding factor. 

I use in my project, only 2 of the openssl functions

openssl = require “plugin.openssl”

cipher = openssl.get_cipher ( “aes-256-cbc” )

cipher:encrypt() --1
cipher:decrypt() --2

Is there an analog thereof in pure lua?