Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]
Photo

OpenSSL Google Security Alert
Started by greg brady Mar 31 2016 04:54 AM

- - - - -
40 replies to this topic
openssl google warning

[TOPIC CONTROLS]
Page 1 of 2 1 2
This topic has been archived. This means that you cannot reply to this topic.
[/TOPIC CONTROLS]
[modOptionsDropdown]
[/modOptionsDropdown]
[reputationFilter]
[TOPIC: post.html]
#1

greg brady

[GLOBAL: userInfoPane.html]
greg brady
  • Contributor

  • 283 posts
  • Corona SDK

Hi,

 

I just go this warning today from Google:

 

Security alert

Your app is using a version of OpenSSL containing a security vulnerability. Please see this Google Help Center article for details, including the deadline for fixing the vulnerability.

How to address OpenSSL vulnerabilities in your apps

This information is intended for developers of apps statically linking against a version of OpenSSL that precedes 1.02f/1.01r.  These versions contain security vulnerabilities.  

 

Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as possible and increment the version number of the upgraded APK.

 

Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL.  

 

The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. The latest versions OpenSSL can be downloaded here. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep "OpenSSL").

 

If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher.

 

To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.  

The vulnerabilities include "logjam" and CVE-2015-3194. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. Details about other vulnerabilities are available here. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “OpenSSL.”

 

While these issues may not affect every app that uses OpenSSL versions prior to 1.02f/1.01r, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.

 

Before publishing apps, please ensure they are compliant with the Developer Distribution Agreement and Content Policy. If you feel we have sent you an OpenSSL warning in error, contact our support team through the Google Play Developer Help Center.

 



[TOPIC: post.html]
#2

Perry Clarke

[GLOBAL: userInfoPane.html]
Perry Clarke
  • Moderator

  • 850 posts
  • Corona Staff

Which version of CoronaSDK are you using?  What operating system are you using?



[TOPIC: post.html]
#3

greg brady

[GLOBAL: userInfoPane.html]
greg brady
  • Contributor

  • 283 posts
  • Corona SDK

Corona SDK Enterprise v2016.2830  I'm developing on Windows 7.

 

Thanks, Greg



[TOPIC: post.html]
#4

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,120 posts
  • Corona SDK

I got the same thing... The plugin needs upgrading

[TOPIC: post.html]
#5

rgabriel15

[GLOBAL: userInfoPane.html]
rgabriel15
  • Observer

  • 4 posts
  • Corona SDK

I got the same warning from Google today...



[TOPIC: post.html]
#6

iyoda

[GLOBAL: userInfoPane.html]
iyoda
  • Observer

  • 15 posts
  • Enterprise

I got same email from Google.

 

Here is the log of Corona SDK.

Copyright © 2009-2016  C o r o n a   L a b s   I n c .
4月 01 04:30:08.284:     Version: 3.0.0
4月 01 04:30:08.284:     Build: 2016.2839
4月 01 04:30:11.622: lua-openssl version: 0.0.5    Lua 5.1    OpenSSL 1.0.1j 15 Oct 2014
 



[TOPIC: post.html]
#7

Rob...

[GLOBAL: userInfoPane.html]
Rob...
  • Contributor

  • 330 posts
  • Corona SDK

I got the email too. Yesterday I noticed a shed load of apps with warning messages on the dashboard. Won't be able to update or add any new apps with this current ssl version after July.

[TOPIC: post.html]
#8

Alan PlantPot

[GLOBAL: userInfoPane.html]
Alan PlantPot
  • Contributor

  • 920 posts
  • Corona SDK

Same here, built using Corona SDK Enterprise v2016.2830 on OSX Yosemite. As adrianm says, perhaps the plugin needs upgrading.



[TOPIC: post.html]
#9

yo1

[GLOBAL: userInfoPane.html]
yo1
  • Observer

  • 23 posts
  • Corona SDK

Same email here. I only use OpenSSL for local encryption (not communication, which is where I believe the security vulnerabilities lie), but Google does not recognize that distinction. 

 

By the way, if the OpenSSL library could be updated to also be compatible with running in the iOS Simulator (it currently causes an error, as has been mentioned here before), that would be even better.



[TOPIC: post.html]
#10

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,120 posts
  • Corona SDK

Same here yo1... Don't want anyone with a text editor and root privileges giving themselves free iaps!

[TOPIC: post.html]
#11

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 26,331 posts
  • Enterprise

Engineering is aware of this and are investigating solutions.



[TOPIC: post.html]
#12

andrew.shaw

[GLOBAL: userInfoPane.html]
andrew.shaw
  • Observer

  • 15 posts
  • Corona SDK

Just want to +1 this.  Need this plug-in updated.



[TOPIC: post.html]
#13

alfonso.jurado

[GLOBAL: userInfoPane.html]
alfonso.jurado
  • Observer

  • 1 posts
  • Corona SDK

Just want to +1 this.  I only use OpenSSL for local encryption but google does not care



[TOPIC: post.html]
#14

Rob...

[GLOBAL: userInfoPane.html]
Rob...
  • Contributor

  • 330 posts
  • Corona SDK

Ive just been working on a jason>string mangler/demangler, with verification. Ill add one more pass to it tomorrow then i can do away with SSL plugin. 



[TOPIC: post.html]
#15

Steven Warren

[GLOBAL: userInfoPane.html]
Steven Warren
  • Enthusiast

  • 71 posts
  • Corona SDK

Engineering is aware of this and are investigating solutions.

 

Rob, any update on updating the OpenSSL plugin? Normally would be more patient but those of us using it are up against a deadline with Google and will need to find a work around if Corona is not able tp update it quick enough.



[TOPIC: post.html]
#16

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 26,331 posts
  • Enterprise

The deadline is July 11, 2016. That's over 3 months away. Our engineers need time to access the issue and make sure we get a solid solution out to you. We are quite aware of this and we will be working to fix it. We understand your desire to get this solved sooner than later, but we hope you understand we need need time to research this and give you a non-rushed solution.

 

Rob



[TOPIC: post.html]
#17

Rob...

[GLOBAL: userInfoPane.html]
Rob...
  • Contributor

  • 330 posts
  • Corona SDK

There is an alternative way for the impatient like me.

You get your save table, converted to json. Convert it to a string, mangle it up and use that to save. On load you un-mangle it and it works a treat. I can supply an example and you can use that as a base if anyone is interested. The only downside is that if you removed the plugin, you wont be able to open up any existing games saves. The plan to that is to keep the plugin AND the new method on next apk update so i can load the save data and convert it to my new save data format. Then I will have to update the apk again with the plugin removed. 



[TOPIC: post.html]
#18

Steven Warren

[GLOBAL: userInfoPane.html]
Steven Warren
  • Enthusiast

  • 71 posts
  • Corona SDK

The deadline is July 11, 2016. That's over 3 months away. Our engineers need time to access the issue and make sure we get a solid solution out to you. We are quite aware of this and we will be working to fix it. We understand your desire to get this solved sooner than later, but we hope you understand we need need time to research this and give you a non-rushed solution.

 

Rob

 

Rob,

 

I completely understand, We have a lot of apps affected and we don't want to be 3 months down the road and rushing to implement a solution as we will "need time to access the issue and make sure we get a solid solution."

 

Thanks for the update.



[TOPIC: post.html]
#19

Steven Warren

[GLOBAL: userInfoPane.html]
Steven Warren
  • Enthusiast

  • 71 posts
  • Corona SDK

There is an alternative way for the impatient like me.

You get your save table, converted to json. Convert it to a string, mangle it up and use that to save. On load you un-mangle it and it works a treat. I can supply an example and you can use that as a base if anyone is interested. The only downside is that if you removed the plugin, you wont be able to open up any existing games saves. The plan to that is to keep the plugin AND the new method on next apk update so i can load the save data and convert it to my new save data format. Then I will have to update the apk again with the plugin removed. 

 

Thanks for the suggestion. This is very similar to my Plan B. Iam hoping not go this route which is why getting an idea of the timeline for Corona to fix this issue is a deciding factor. 



[TOPIC: post.html]
#20

x31

[GLOBAL: userInfoPane.html]
x31
  • Observer

  • 3 posts
  • Corona SDK

I use in my project, only 2 of the openssl functions

openssl = require "plugin.openssl"

cipher = openssl.get_cipher ( "aes-256-cbc" )

cipher:encrypt() --1
cipher:decrypt() --2

Is there an analog thereof in pure lua?



[TOPIC: post.html]
#21

Alan PlantPot

[GLOBAL: userInfoPane.html]
Alan PlantPot
  • Contributor

  • 920 posts
  • Corona SDK

Any news on this? No pressure, just wanted to know what the current state of play is  :)



[TOPIC: post.html]
#22

Rob...

[GLOBAL: userInfoPane.html]
Rob...
  • Contributor

  • 330 posts
  • Corona SDK

I would also like to know that if and when this is updated that it would keep compatibility with loading old encrypted saves.

Im only interested in updating current apps. Any new ones im already using my own home made basic encryption so i never have this problem again. 



[TOPIC: post.html]
#23

SGS

[GLOBAL: userInfoPane.html]
SGS
  • Corona Geek

  • 2,120 posts
  • Corona SDK

Hi Rob, is there a release schedule on this yet?  Time is matching on and this has a massive impact for all of using this plugin for local encryption.

 

Thanks



[TOPIC: post.html]
#24

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 26,331 posts
  • Enterprise

There are a bunch of dependencies on this. Engineering is actively working on this. Many times you can't just grab a new version of a library or SDK and hit the build button and expect it to work out the box.

 

Rob



[TOPIC: post.html]
#25

Rob...

[GLOBAL: userInfoPane.html]
Rob...
  • Contributor

  • 330 posts
  • Corona SDK

What Im doing right now is rolling out 50+ apps with my own version of saving at the same time as the current saving. Then in a few weeks i can roll out another update removing the plugin for good.

This is a real chore and ball ache but will be glad to not have this problem again. I cant take any chances waiting any longer as the potential for losing peoples game saves gets high.




[topic_controls]
Page 1 of 2 1 2
 
[/topic_controls]