OpenSSL security alert issue

[severedsea]

Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities.You should update OpenSSL as soon as possible. The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL""). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt. To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours. Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play.

Received this security alert from Google regarding our newly submitted app.

I tracked down which plugin is causing this issue and narrowed it down to webview-plus. The command provided by Google showed me that, with webview-plus included, there is an OpenSSL v1.0.1e linked to our app. Removing webview-plus plugin and running the command doesn't show any OpenSSL version.

Can I verify if the team is aware of this? If you are, are you planning on fixing this to avoid the risk of Google Play taking down apps that have webview-plus installed?

[sameid]

I received the same issue.

[Nigh7Sh4de]

http://support.ludei.com/hc/communities/public/questions/201967485-Security-alert-for-OpenSSL-version-with-APK-files

It seems they know but have yet to fix this issue

[kacinskas]

I have same issue, hope it will be resolved soon

[severedsea]

@Nigh7Sh4de - Thanks for the link!

Based on the latest comments in that link, the team is working on it (If I understand correctly). So, should we just wait for the updated version that fixes the OpenSSL security alert? Because Google is giving us 60 days to comply, can we get some updates from the team? Thank you!

[kacinskas]

@severedsea Take a look here: http://support.ludei.com/hc/communities/public/questions/201967485-Security-alert-for-OpenSSL-version-with-APK-files?page=1#answer-202136425

They will no longer support it, they released code for public, so maybe someone will fix that Also this is from Ludei support email: "... we are working in a new Cocoon cloud with an up to date version of the WebView+ plugin that solves this issue ...", but its still in beta

I have switched to crosswalk, and using this plugin for webview - cordova-plugin-crosswalk-webview 1.2.0

[severedsea]

@kacinskas - Thanks, mate! Does crosswalk solve the performance issue of HTML5 Canvas on Android 4.4+?

[kacinskas]

@severedsea - I did not made any benchmarks, and cant compare, but in general it looks that WebView+ was a bit faster (but it can be not true at all..) Anyway crosswalkWebview fixes all those sound issues and etc.

[severedsea]

@kacinskas - Thanks! Appreciate your help! I'll give it a shot and update you guys.

[MayankLogiciel]

I have also the same issue and app rejected by Google. What to do ?

Crosswalk also not helping 1) poor performance while writing/drawing on canvas. 2) Not able to fetch location using geolocation 3) File upload/download also crashing app using file-transfer plugin(Adndroid 4.1.2 tablet)