How to address OpenSSL vulnerabilities in your apps #40
Comments
|
Why are you pretending to be someone from Google? Also, this issue isn't relevant to us since the way that Tor uses OpenSSL is not affected by logjam. |
|
This information appeared in the Developer Console. In your application using OpenSSL is vulnerable |
|
What do you mean the Developer Console? Who's developer console? As I noted, the way Tor uses OpenSSL is different than most apps, and it is not vulnerable. |
|
what version of OpenSSL is used in your application? 1.02f / 1.01r vulnerable. |
|
I am not saying there isn't a vulnerability, but that Tor is not a typical openssl client, and that it is not susceptible to this flaw. https://lists.torproject.org/pipermail/tor-dev/2015-May/008868.html Regardless, we will likely be updating OpenSSL to the latest release in our next version. |
This information is intended for developers of apps statically linking against a version of OpenSSL that precedes 1.02f/1.01r. These versions contain security vulnerabilities.
Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL.
The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. The latest versions OpenSSL can be downloaded here. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep "OpenSSL").
If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher.
To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.
The vulnerabilities include "logjam" and CVE-2015-3194. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. Details about other vulnerabilities are available here. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “OpenSSL.”
While these issues may not affect every app that uses OpenSSL versions prior to 1.02f/1.01r, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.
Before publishing apps, please ensure they are compliant with the Developer Distribution Agreement and Content Policy. If you feel we have sent you an OpenSSL warning in error, contact our support team through the Google Play Developer Help Center.
The text was updated successfully, but these errors were encountered: