"Your app is using a version of OpenSSL containing a security vulnerability"

Getting Started Newbie Questions
#1

Hi, 

I have the following problem problem with uploading APKs to the android developer console.

"Security alert

Your app is using a version of OpenSSL containing a security vulnerability."

I have tried building with the most recent daily build (2016.2984) and the most recent release build (2016.2949) with no luck.

I have managed to build and publish versions of this app with the same code for encryption before but as of tuesday, any updates have been rejected with the above reason.

the suggestion from google’s support is “**Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher” **but i do not know how to do this in corona

in my build.settings I have this

settings = { plugins = { ["plugin.openssl"] = { publisherId = "com.coronalabs", }, } }

The encryption is only used as an obfuscation method so that users who may wish to tamper with the app settings stored on the phone cannot.

this is the code that i use in the lua files to encrypt/decrypt the data.

local json = require( "json" ) local openssl = require( "plugin.openssl" ) encKey = "RANDOMKEY" cipher = openssl.get\_cipher ( "aes-256-cbc" ) local filePath = system.pathForFile( "somefile.json", system.DocumentsDirectory ) local goldTable = {} local file = io.open( filePath, "w" ) if file then file:write( cipher:encrypt( json.encode( goldTable ), encKey) ) io.close( file ) end local file = io.open( filePath, "r" ) if file then local contents = file:read( "\*a" ) io.close( file ) goldTable = json.decode( cipher:decrypt(contents, encKey) ) print(contents) end

Can anyone give some pointers as to why this is insecure or is there a better way of doing this?

Thanks!

#2

Can you explain this further? 

Where are you seeing this message?

Are you uploading a production build or an alpha or beta build?

At what point in the upload process are you seeing the message?

Our OpenSSL plugin is using the latest versions required by Google

Thanks

Rob

#3

Hi,

I’ve tried to upload to alpha and beta. Both have been rejected by google and i got this Alert

Security alert

Your app is using a version of OpenSSL containing a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Affects APK version  32.

 http://imgur.com/kTIftWm

I’ve seen a post on here from earlier this year where i think this was fixed in a daily build so i have no idea why it is happening with the newest release build.

#4

You can verify the version of the OpenSSL plugin using one of it’s internal API calls.  I think it’s openssl.version(). You can print that value out. You can also verify the version of Corona you’re using using system.getInfo( “build” ).

Print out those values and let me know what you get?

#5

The openSSL version returns 0.0.6 and the Corona build returns 2016.2984

#6

It should be returning 1.0.2h for OpenSSL.

Are you on a Mac or Windows?

#7

I’m on windows 10

#8

Can you open up a cmd.exe shell and do a:

cd %USERPROFILE%\AppData\Roaming\Corona Labs\Corona Simulator\Plugins

and do a “dir” command and look for plugin_openssl.dll and let me know what it says. Also if it’s older than 02/11/2016 try deleting the file:  

del plugin_openssl.dll

and then try building and see what numbers you get.

Rob

#9

Before you delete the plugin, download, build and run this sample:

https://github.com/coronalabs/plugins-sample-openssl

It will print the right number.  Apparently the .version() API was printing a different value.

Rob

#10

I have this displaying this now in the Corona simulator output which i presume should be right.

lua-openssl version: 0.0.6 Lua 5.1 OpenSSL 1.0.2h  3 May 2016

I’ll try build my app again and try to upload it, annoyingly it will be a couple of hours before i’ll know if it has worked.

Thanks for the help so far

#11

App was rejected again, No more information was given apart from the same security alert as before.  Any other suggestions?

#12

Can you show a current screen shot showing the message saying it was rejected with your latest submission?

Rob

#13

it doesn’t give a huge amount of information.

http://imgur.com/a/TTpcL

http://imgur.com/a/cQvf7

since the first APK uploaded, it hasn’t given another alert so i presume it doesn’t give multiple alerts for the same rejection reason.

#14

Update: int the pre-launch report i found this for the same APK

SECURITY SCAN COMPLETE

No known vulnerabilities were detected for APK 35.

I have tried moving the apk to beta where there was another rejected apk in the hopes that Google checks both builds and gives an overall result.  Since the pre-launch says that this APK is safe I can only assume for now that it is a problem with how Google tests the builds.

#15

Okay, Thank you for all of your help, The problem is now fixed. There were a few things going on that caused the problem that I list for anyone who manages to do this in the future.

  • The main cause of the problem is that I managed to build an APK on a new machine that had an older build of Corona on it (a release build from Februrary 2016).  This build used an old version of OpenSSL that Google does not allow due to major insecurities.
  • I uploaded this APK to Beta as it was only meant to be a small bug fix.  This APK was rejected.
  • To debug the error I tried changing some things not related to SSL (as i was not aware of the alert section at the time) and uploaded these test builds to alpha.
  • I found the SSL problem, updated Corona, and uploaded a new APK to alpha.
  • I got a notification for this saying it had been rejected.
  • I then posted this plea for help on the Corona forums from which i confirmed that my SSL version was correct.
  • My colleague suggested that it could be that there was a broken version still in beta and he was correct!
  • Promoting the APK to beta (therefor having no insecure versions live) fixed the problem

TLDR: Make sure that you publish any updated APKs in the same alpha/beta/production channel as a rejected APK as google seems to check all channels when any new APK is tested.

#16

Glad you got it solved.

Rob

#17

Can you explain this further? 

Where are you seeing this message?

Are you uploading a production build or an alpha or beta build?

At what point in the upload process are you seeing the message?

Our OpenSSL plugin is using the latest versions required by Google

Thanks

Rob

#18

Hi,

I’ve tried to upload to alpha and beta. Both have been rejected by google and i got this Alert

Security alert

Your app is using a version of OpenSSL containing a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

Affects APK version  32.

 http://imgur.com/kTIftWm

I’ve seen a post on here from earlier this year where i think this was fixed in a daily build so i have no idea why it is happening with the newest release build.

#19

You can verify the version of the OpenSSL plugin using one of it’s internal API calls.  I think it’s openssl.version(). You can print that value out. You can also verify the version of Corona you’re using using system.getInfo( “build” ).

Print out those values and let me know what you get?

#20

The openSSL version returns 0.0.6 and the Corona build returns 2016.2984