Hi,
I have just published an app on the play store, but quite quickly I have received a warning about OpenSSL
Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities. You should update OpenSSL as soon as possible.
The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m and 0.9.8za. To confirm your OpenSSL version, you can do a grep via (“$ unzip -p YourApp.apk | strings | grep “OpenSSL””). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt.
To confirm that you’ve upgraded correctly, upload the updated version to the Developer Console and check back after five hours.
Please note: While it’s unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
Running the suggested command gives me the following:
unzip -p AuroraWatchUk.apk | strings | grep “OpenSSL”
+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl
Looking in the project I have found that the defaults.js has the following lines, do I just change the OpenSSL value to a correct one to get around this issue? If that is the case what should I change the below to??
// Use a well known user agent (in this case, curl) when using a proxy,
// to avoid potential filtering on many corporate proxies with blank or unknown agents
var userAgent = !proxy && !httpsProxy
? ‘node/’ + process.version + ’ ’ + process.platform + ’ ’ + process.arch
: ‘curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5’;