OpenSSL vulnerability

[neilb]

I just received an email from Google that was threatening to ban one or more Android apps due to SSL vulnerabilities.

They wouldn't tell me which apps, so I used a hearth bleed scanner and it flagged all my shiva apps as running a really old version of OpenSSL. The vulnerability dated 7 days ago, so it's very new.

I'm not 100% sure it's Shiva is the reason that Google flagged emailed me, but libssl is definitely shipping with all my shiva apps.

How can I update libssl to the latest version?

[NiCoX]

[feng3d]

Hi,
I got the same mail.
Because I don't need SSL and I had removed the OpenSSL lib from my apps.
Is it ok?

[broozar]

another topic on this issue:
viewtopic.php?f=43&t=30016&p=67308&hilit=ssl#p67304

[giggsy]

[Fraser]

[NiCoX]

Hi all,

Please find the OpenSSL 1.0.1h compiled for Android:



The archive includes libcrypto and libssl for the arm-v5te, arm-v7a and x86 architectures.

The files must be renamed (by removing the architecture suffix) if you replace them in an existing Eclipse project, or if you just want to "unzip" the APK, replace the libs, and repack. For all new exports, just decompress the archive in the Android build directory, which is:

- on Mac OS X: /Path/To/ShiVa Authoring Tool.app/Contents/Resources/Data/Mac/Android/Build
- on Windows: /Path/To/ShiVa Authoring Tool/Data/Mac/Android/Build

Please let us know if you encounter problems, or if that just works!

[kaxig]

is there a way to validate the new functionality?

[_geo_]

Thx for the fix.

We have implemented it and are currrently waiting for Google´s approval that it´s fixed. Https connections have been working fine so far, no problems on the functionality side.

[psychicsoftware]

Thanks Nicox!

@Geo: what kind of verification from Google do you expect? They don't have any auditing of uploads do they?