Google email says to migrate to OpenSSL 1.02f/1.01r

9 posts, 0 answers
  1. David
    David avatar
    13 posts
    Member since:
    Apr 2013

    Posted 05 Apr Link to this post

    Has anyone else received the Google Play email stating the following:

    "Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL. If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher."

    I have searched my project and the only references I am finding are in the file everlive.all.js; so I presume this is something that Telerik will need to fix?

    Please advise.

  2. Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 08 Apr Link to this post

    Hi David,

    Thanks for bringing the issue to our attention.

    The Everlive JS SDK uses an external dependency for cryptography methods for encrypting the offline storage (please see more on the matter here). This module contains properties and fields named "OpenSSL" which indicate methods for interopability with OpenSSL but does not reference the OpenSSL module.

    This said the check Google are recommending will return results for a string "OpenSSL" but the OpenSSL module in question is not used in the SDK. Perhaps the presence of such strings may be a reason for the app to be considered as using a version of OpenSSL that is not allowed.

    While we are researching the issue, can you please:

    - Specify if the message was sent at the time of submitting your app for publishing.
    - Check with the attached version of the SDK - it does not use the cryptography module. In case you are not using the offline storage (respectively encryption) in your app, you may not need this module for communicating with Everlive. Please use this just as verification that the issue stands in the Everlive SDK and use the official release for production purposes.

    Let us know should you have further questions or considerations.

    Regards,
    Anton Dobrev
    Telerik
     

    Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.

     
  3. Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 28 Apr Link to this post

    Hi David,

    Just a quick follow up to your inquiry.

    We created a simple hybrid application in Telerik Platform and published it to Google Play. The app was approved and published without warnings. 

    The project properties are:

    - Cordova 4
    - Everlive JavaScript SDK 1.6.9 (min and src versions) embedded locally in the app
    - All Cordova Core plugins enabled in the project (except for the Keyboard and Console)

    I hope that this information will be helpful for you.

    Regards,
    Anton Dobrev
    Telerik
     

    Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.

     
  4. David
    David avatar
    13 posts
    Member since:
    Apr 2013

    Posted 14 Jun in reply to Anton Dobrev Link to this post

    Anton,

    I was able to get my app published as well, however Google has a yellow warning triangle with a warning next to my app stating that it is using a vulnerable OpenSSL.  See attached image.

    Does your sample app have that warning?

    Is there a list or log in Visual Studio that would show what modules are included?

    I have not had a chance to try your temporary SDK, but thought I would check first to see if your app had the warning.

    Thanks,
    David

  5. Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 17 Jun Link to this post

    Hello David,

    Thanks for writing back.

    When preparing and publishing the test app there were no warnings in the Google Play portal. I asked again my colleagues that published the app on my behalf on the same subject and they confirmed no similar warnings were displayed.

    Given the nature of the issue my suggestion would be to double check:

    - The Cordova version of the app - using Cordova 4.0 in Telerik Platform (4.1.1 for Android) is minimum acceptable version for Google Play store after May 2016.
    - External plugins, SDKs, frameworks used in the app or located in the application package - I am suspecting a given library may have a dependency to OpenSSL or perform an operation using OpenSSL. This operation, however, may not appear when scanning the code for the openssl string match.
    - If external plugins are used - check them for such dependencies - plugins that communicate with a large backend systems, perform security pinning, etc. may have such dependency.

    I hope that this helps.

    Regards,
    Anton Dobrev
    Telerik
     

    Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.

     
  6. David
    David avatar
    13 posts
    Member since:
    Apr 2013

    Posted 24 Jun in reply to David Link to this post

    Anton,

    I am using Everlive for PushNotifications.  When I tried using your temporary SDK that omitted the SSLmodule I was unable to get the app to run.  The version with the latest Bower component of Everlive did run fine on both the Simulator and as a beta in the Android Play store.  However when I replaced the bower component files everlive.all files, I cannot get the simulator to run.  It gives the error:

    Uncaught Error: Cannot find module 'node-cryptojs-aes' at bower_components/everlive/min/everlive.all.min.js (line: 26)
    Uncaught ReferenceError: Everlive is not defined at app.js (line: 125)

    Maybe I am not installing your temporary version correctly.

    When my latest working Beta is in Android store, I am not seeing any warning, however I would need to promote to production to truly see if it is clear of the problem.  My thought is that Google is running the scans of the APK looking for the phrase OpenSSL to determine if the app has the issue and they are only scanning production not beta apps.

    I have attached a screen shot showing the Plugins, and the Solutions Explorer shows only the Everlive in the Bower Components.

    I am using Kendo.UI.Core version "2016.1.112 Verified". 

    Here is the link for the Warning Message about the OpenSSL ... https://support.google.com/faqs/answer/6376725

    Is there a way to get a version of the Everlive SDK with the name "OpenSSL" changed slightly so it does not trigger the grep that Google does on the apk file. Also, please provide detailed instructions on how to install the SDK from the zip provided.

    Does the Crypto library referenced in Everlive SDK actually use OpenSSL?  If so, which version?

    Thank you in advance for your prompt help.  The deadline is approaching fast.

    Thanks,

    David

  7. Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 29 Jun Link to this post

    Hello David,

    As to your questions.

    The SDK attached in my previous reply was not correctly built without this dependency and hence the error. I would like to offer my apologies for the same. Please find attached the SDK that should function correctly without the cryptography libraries.

    You can import the files simply by importing the folder in your project and referencing the desired version of the SDK in your code.

    The Everlive SDK utilizes the node-cryptojs-aes  module for some cryptography functions but does not have a dependency to OpenSSL. It also utilizes the Crypto JS module for the same. Both libraries have methods for interoperability with OpenSSL but to our awareness do not utilize the OpenSSL module though the term OpenSSL is used in a bunch of methods. .

    The attached version of the SDK does not contain any of the modules so you can test with it.

    I hope that this helps.

    Regards,
    Anton Dobrev
    Telerik
     

    Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.

     
  8. David
    David avatar
    13 posts
    Member since:
    Apr 2013

    Posted 30 Jun in reply to Anton Dobrev Link to this post

    I rebuilt with the special Everlive SDK and posted to my Beta test.  After several hours, an alert showed up that it still had the OpenSSL security vulnerability.  So I removed out all my plugins except for Push Notifications, rebuilt and published to Beta test.  After waiting many hours, I did not see any alert regarding that APK version.  Same when I added back the Telerik plugin for Spinner Dialog.

    So that narrows it down to the Telerik plugin for Mapbox version 1.1.1 was the plugin most likely causing the problem.  I see a newer version is available, but since I changed to using Google maps instead of Mapbox, I will not be reinstalling the Mapbox plugin.

    One last test that I am conducting is to reinstall the full latest version of the Everlive SDK and publishing that to my Beta test.  Hopefully that version will pass their OpenSSL vulnerability test.  I still need to give it some time for Google to scan the APK and issue the alert, if any.  I will post if this latest version gets flagged, otherwise we will assume it is Mapbox.

    Thanks,

    David

  9. Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 05 Jul Link to this post

    Hi David,

    Glad that your investigation was fruitful and hopefully it will lead to resolving the issue.

    Let me know of the final results and should you have further questions or considerations.

    Regards,
    Anton Dobrev
    Telerik by Progress
     

    Visit the Telerik Verified Plugins Marketplace and get the custom Cordova plugin you need, already tweaked to work seamlessly with AppBuilder.

     
Back to Top