Security warning from Google
-
wrote on 3 May 2015, 00:44 last edited by
Hi, I'm using QT for an Android app (built on a windows machine), and just recently, received a warning from Google about security issues with the OpenSSL I'm using.
I'm not doing anything special, but I am using standard libraries like QNetworkAccessManager and QUrlQuery.
I'm also using QT 5.4.
Has anyone else received this warning (full text down below) and perhaps solved it by updating something?
Thanks,
Erik
Full text of warning from Google:
Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities. You should update OpenSSL as soon as possible.The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL""). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt.
To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours.
Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play.
-
Hi, I'm using QT for an Android app (built on a windows machine), and just recently, received a warning from Google about security issues with the OpenSSL I'm using.
I'm not doing anything special, but I am using standard libraries like QNetworkAccessManager and QUrlQuery.
I'm also using QT 5.4.
Has anyone else received this warning (full text down below) and perhaps solved it by updating something?
Thanks,
Erik
Full text of warning from Google:
Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities. You should update OpenSSL as soon as possible.The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL""). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt.
To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours.
Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play.
Hi,
@qt_erik said:
Has anyone else received this warning (full text down below) and perhaps solved it by updating something?
Qt does not ship with OpenSSL.
You need to update your local copy of OpenSSL, OR create a dynamically-linked build instead of a statically-linked one.
-
wrote on 4 May 2015, 01:39 last edited by
Thanks JKSH, you said "Qt does not ship with OpenSSL," and that is the reason I am reaching out on this forum.
I don't have OpenSSL installed on my build machine, nor do I link to it anywhere in my build process, either statically or dynamically.I'm confused as to why Google thinks I have any version of OpenSSL in my APK file let alone an old one.
Maybe their detection software is looking at something else or was an erroneous email warning?
I'll reach out to Google and see if they have anything to say on the issue.
Thanks,
Erik
-
Thanks JKSH, you said "Qt does not ship with OpenSSL," and that is the reason I am reaching out on this forum.
I don't have OpenSSL installed on my build machine, nor do I link to it anywhere in my build process, either statically or dynamically.I'm confused as to why Google thinks I have any version of OpenSSL in my APK file let alone an old one.
Maybe their detection software is looking at something else or was an erroneous email warning?
I'll reach out to Google and see if they have anything to say on the issue.
Thanks,
Erik
Hi Erik,
@qt_erik said:
Thanks JKSH, you said "Qt does not ship with OpenSSL," and that is the reason I am reaching out on this forum.
I don't have OpenSSL installed on my build machine, nor do I link to it anywhere in my build process, either statically or dynamically.I'm confused as to why Google thinks I have any version of OpenSSL in my APK file let alone an old one.
Maybe their detection software is looking at something else or was an erroneous email warning?
I'll reach out to Google and see if they have anything to say on the issue.
That sounds quite odd indeed. Sorry I don't have any knowledge on this issue, as I don't develop Android apps. I do know that the official Qt builds always link to OpenSSL dynamically for legal reasons -- Qt loads OpenSSL dynamically if it's available on the target device.
Have a look through the first several results at https://www.google.com/search?q=site:doc.qt.io/qt-5/+openssl+android -- does anything jump out at you?
Also, try Google's suggestion and see if it provides any clues:
To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL"")
-
Hmm, this user has reported the same issue: https://forum.qt.io/topic/53883/
-
wrote on 6 May 2015, 18:59 last edited by
I was able to upgrade the version of OpenSSL by using the Qt MaintenanceTool.exe and updating everything to the latest. Have yet to submit to Google, but I think it may be the solution.
1/6