Security warning from Google
-
Hi, I'm using QT for an Android app (built on a windows machine), and just recently, received a warning from Google about security issues with the OpenSSL I'm using.
I'm not doing anything special, but I am using standard libraries like QNetworkAccessManager and QUrlQuery.
I'm also using QT 5.4.
Has anyone else received this warning (full text down below) and perhaps solved it by updating something?
Thanks,
Erik
Full text of warning from Google:
Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities. You should update OpenSSL as soon as possible.The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL""). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt.
To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours.
Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play.
-
Hi,
@qt_erik said:
Has anyone else received this warning (full text down below) and perhaps solved it by updating something?
Qt does not ship with OpenSSL.
You need to update your local copy of OpenSSL, OR create a dynamically-linked build instead of a statically-linked one.
-
Thanks JKSH, you said "Qt does not ship with OpenSSL," and that is the reason I am reaching out on this forum.
I don't have OpenSSL installed on my build machine, nor do I link to it anywhere in my build process, either statically or dynamically.I'm confused as to why Google thinks I have any version of OpenSSL in my APK file let alone an old one.
Maybe their detection software is looking at something else or was an erroneous email warning?
I'll reach out to Google and see if they have anything to say on the issue.
Thanks,
Erik
-
Hi Erik,
@qt_erik said:
Thanks JKSH, you said "Qt does not ship with OpenSSL," and that is the reason I am reaching out on this forum.
I don't have OpenSSL installed on my build machine, nor do I link to it anywhere in my build process, either statically or dynamically.I'm confused as to why Google thinks I have any version of OpenSSL in my APK file let alone an old one.
Maybe their detection software is looking at something else or was an erroneous email warning?
I'll reach out to Google and see if they have anything to say on the issue.
That sounds quite odd indeed. Sorry I don't have any knowledge on this issue, as I don't develop Android apps. I do know that the official Qt builds always link to OpenSSL dynamically for legal reasons -- Qt loads OpenSSL dynamically if it's available on the target device.
Have a look through the first several results at https://www.google.com/search?q=site:doc.qt.io/qt-5/+openssl+android -- does anything jump out at you?
Also, try Google's suggestion and see if it provides any clues:
To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL"")
-
Hmm, this user has reported the same issue: https://forum.qt.io/topic/53883/
