谷歌播放和OpenSSL警告信息 [英] Google Play and OpenSSL warning message

问题描述

我刚刚接到了来自谷歌的邮件发挥声明：

I just received an email from Google play stating:

您好，

您的一个应用程序或多个运行的是过时的版本的OpenSSL，   其中有多个安全漏洞。你应该更新的OpenSSL   尽快地。有关最新信息   在OpenSSL的安全漏洞，请参阅   <一href="http://www.openssl.org/news/secadv_20140605.txt">http://www.openssl.org/news/secadv_20140605.txt.

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

请注意，虽然目前还不清楚这些具体问题是否影响   您的应用程序，与用户暴露安全漏洞的应用程序   妥协的风险可能被认为是危险产品和   被遣返从谷歌播放。

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play.

问候，

谷歌播放团队

©2014谷歌公司1600年剧场百汇山景，CA 94043

©2014 Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043

电子邮件preferences：你收到这封电子邮件服务   公告通知您有重大变更，您的谷歌播放   帐户。

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

我没有明确地包括OpenSSL的任何我的应用程序。它使用Android NDK的应用程序是使用NDK 9D（最新的）。唯一的外部机库我使用的ffmpeg的和OpenCV和一些广告库，不具备原生code包括在内。

I have not explicitely included OpenSSL in any of my apps. The apps which use the Android NDK are using NDK 9d (the latest). The only external native libraries I do use are ffmpeg and OpenCV and some advertising libraries which do not have native code included.

还能在哪里的OpenSSL包含导致此警告？

Where else could OpenSSL be included causing this warning?

问候，

推荐答案

我写了一个bash脚本，将显示OpenSSL的版本的东西在你的应用程序，以及是否TLS心跳方法包括静态链接。

I wrote a bash script which will display the OpenSSL versions of anything statically linked in your app and whether TLS heartbeat methods are included.

这工作在极少数的APK我扔在这的。 OpenSSL的版本字符串被专门用一个版本号和日期提取。如果谷歌标志的APK，这不能找到它，放松OpenSSL的正则表达式中egrep命令只为OpenSSL，看看，让你。

This worked on a handful of APKs I threw at it. The OpenSSL version string is being specifically extracted with a version number and date. If Google flags the APK and this can't find it, relax the OpenSSL regex in the egrep command to just "OpenSSL" and see where that gets you.

将以下文件中的例如testopenssl.sh

Put the following in a file e.g. testopenssl.sh

用法：./testopenssl.sh APK_File

usage: ./testopenssl.sh APK_File

#!/bin/bash
sslworkdir="ssl_work_dir"
if [ ! -d $sslworkdir ]; then
  mkdir $sslworkdir
fi
unzip -q "$1" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'\r\n'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSL\s\d+\.\d+\.\d+\w+\s\d+\s\w+\s\d+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
    echo "Found OpenSSL versions"
    printf "%s\n" "${opensslarr[@]}"
    heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
    #Stackoverflow syntax highlight fix closing 'block comment' */
    if [ ${#heartbeatarr[@]} -gt 0 ]; then
        echo "Files that contains heartbeat methods:"
    printf "%s\n" "${heartbeatarr[@]}"
    else
        echo "No libraries contain heartbeat methods"
    fi
else
    echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir

这篇关于谷歌播放和OpenSSL警告信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！