Jump to content

Cocoon js: resolving OpenSSL vulnerabilities


BattyMilk
 Share

Recommended Posts

I've developed an HTML5 game using cocoonjs.

 

I followed various guides online to get the thing SSL'd(?) and zipaligned (?) and was finally able to get the APK supplied by cocoon in a format that the play store would accept.

 

I have received an email from the play store advising me of a 60 day deadline to resolve SSL issues with the app (pasted below). Does anyone know of any online resource (or would care to share their advice) that can hold my hand through resolving this (preferably the whole process from cocoon APK to play store ready APK) issue. Getting it to a play store ready format took a couple of hours and if I'm honest, I have no idea how I got there ;)

 

Thanks,

BattyMilk

 

 

Email from the play store

 

We wanted to let you know that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users. Please migrate your app(s) to an updated version of OpenSSL within 60 days of this notification. Beginning 7/7/15, Google Play will block publishing of any new apps and updates that use older, unsupported versions of OpenSSL (see below for details).

REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement.

The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via: $ unzip -p YourApp.apk | strings | grep "OpenSSL"

For more information about the vulnerability, please see this OpenSSL Security Advisory. To confirm that you’ve upgraded correctly, upload the updated version of the app(s) to the Developer Console and check back after five hours. For other technical questions about managing OpenSSL, please seehttps://groups.google.com/forum/#!forum/mailing.openssl.users.

In 60 days, we will not accept app updates containing the vulnerabilities. In addition, we will reject new apps containing the vulnerabilities.

Note: while the issues may not affect every app that uses OpenSSL versions prior to 1.0.1h, 1.0.0m, or 0.9.8za, developers should stay up to date on all security patches. Even if you think that specific issues may not be relevant, it's good practice to update any libraries in your app that have known issues. Please take this time to update apps that have out-of-date dependent libraries or other vulnerabilities.

Before publishing applications, please ensure your apps’ compliance with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, visit this Google Play Help Center article.

Regards,
Google Play Team

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...