Android Playstore Security Alert on OpenSSL vulnerability

// Expert user has replied.
T Tsu Beng Tan 3 years 6 months ago
33 4 0

Hi Guys,

I have a customer received security alert from Android PlayStore when they published their APK/Application.(Screenshot is attached.) May I know which Rhomobile version have included the latest Openssl version that did not face any vulnerability.Or user can import the Openssl by themselves?
 
Rhomobile version tested:

4.0.0
5.0.25
5.038

  

Thanks.
 

Please Register or Login to post a reply

4 Replies

L Louis Mauchet

Hi,

I had the same problem few weeks ago. Android refused my rhodes application because of security vulnerabilities caused by OpenSSL lib.
So i tried to compile the new version of OpenSSL (1.0.1q instead of 1.0.1g). I've succeed in compiling but the result of the compilation is far smaller thant the original (4.2M instead of ~14M). But it seems to work anyway. I presume that i have missed some compilation option(s). The result file is here if you want to try it : rhodes/libopenssl.so.a at master · louisatome/rhodes · GitHub.

The configure i use to compile OpenSSL:

./config  --openssldir=/tmp/openssl/android-18/ -DANDROID -DOS_ANDROID  -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE  -DOPENSSL_NO_DYNAMIC_ENGINE
If someone has more informations on the compilation options needed for rhodes it would be great!

T Tsu Beng Tan

According to Zebra Engineering, the OpenSSL option is not a Zebra supported option, but a 3rd party option added to a Rho Project. Hence, you will need to update OpenSSL on development PC by doing either:
a) Do a re-Install Upgrade of OpenSSL and the OpenSSL suite library of tools to the current and up-to-date supported version. (Which is what engineering recommend)
b) In-Place upgrade / update of the OpenSSL suite library and tools by use of the OpenSSL source code found at www.openssl.org as part of this advisory: https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html
Another Alternative will be using other encryption algorithm instead.Hope this helps.

Thanks.

J Jon Tara

Hence, you will need to update OpenSSL on development PC by doing either:
a) Do a re-Install Upgrade of OpenSSL and the OpenSSL suite library of tools to the current and up-to-date supported version. (Which is what engineering recommend)
b) In-Place upgrade / update of the OpenSSL suite library and tools by use of the OpenSSL source code found at www.openssl.org as part of this advisory: https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html

This won't do a thing to update the OpenSSL Rhodes extension which is used by Rhodes apps at run-time.

The above procedure would just update the OpenSSL used on your development machine. You might then rest assured that your logins to the Zebra license/build server are secure (if your browser/OS uses openSSL - do any still? OSX does not.), but it will do nothing else for you.

What is needed is an update to the OpenSSL extension. That is likely a big job. If you do it, consider sharing it!

It would be far preferable to use the Network API, which will use the underlying native APIs of each platform. For example, on iOS it uses the native iOS network framework, which does not use OpenSSL at all.

Why do you need to use openSSL? Do you need to support some non-http protocol? I've used openSSL with XMPP. I can't think of many other good reasons for using it.

j jassica maria

It's crucial for Android users to stay informed about security alerts, such as the recent one regarding the OpenSSL vulnerability. Google's proactive approach to addressing these issues in the Play Store underscores the importance of ongoing vigilance and swift action to maintain the integrity and safety of the Android ecosystem. 

CONTACT
Can’t find what you’re looking for?