OpenSSL vulnerability warning from Google Play


#1

My team has an app made with ionic live on the play store. I recently got an email from google play: Email text which basically says that the app uses a version of OpenSSL that’s not safe, and that they’ll refuse any further updates. I tried to check my OpenSSL version as instructed : unzip -p myapp.apk | strings| grep 'OpenSSL' which gave the following output:

+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl

It was supposed to show me the openssl version that’s in use, but I’m not sure if i understand correctly.
How do I solve this issue?


#2

Hi there,
I got the same mail, and a few hours later another one saying the first one was sent in error :slight_smile:
I think the ssl problem in crosswalk was fixed long ago

or do you use any other component that includes ssl functionality?


#3

Hmm, are you both using crosswalk? There were some ssl issues with older versions of crosswalk that require you to update.


#4

yep I am using crosswalk 11.xx or 12.xx not sure anymore which one I pushed to the play store.
But as I said, a few hours later I recieved another mail from google:

Recently we sent you a notification that one or more of your apps
should be upgraded to more recent version of OpenSSL, due to security
vulnerabilities. The notification was sent in error, and we thank you
for previously making the necessary changes to your app.

We apologize for any confusion this may have caused.


#5

@tobika: not really; not that I know of. We were using crosswalk for one version, but the latest one doesn’t use crosswalk. Must have been sent in error then…