Hi all,
I’m on the Android Security Team. In response to your questions:
(1) You can determine which apps are using OpenSSL via ("$ unzip -p
YourApp.apk | strings | grep "OpenSSL"")
(2) Please update all statically linked versions of OpenSSL to 1.0.1h,
1.0.0m, or 0.9.8za.
(3) If you are using a 3rd party library that bundles OpenSSL, please
notify the 3rd party and work with them to address this.
Best,
- Eric
On Saturday, June 14, 2014 2:06:58 AM UTC-7, jayapal ravi wrote:
>
> Here's the headers from mine, i am not sure.
>
> from: Google Play <googlepla...@google.com <javascript:>>reply-to:
> googlepla...@google.com <javascript:>
> to: jra*******@gmail.com
> date: Thu, Jun 12, 2014 at 4:47 PMsubject: Security Alert: You are using
> a highly vulnerable version of OpenSSLmailed-by:
> scoutcamp.bounces.google.comsigned-by: google.com
> On Friday, June 13, 2014 12:38:25 PM UTC-7, Jeffrey Walton wrote:
>>
>> On Thu, Jun 12, 2014 at 9:30 PM, Neil Burlock <burloc...@gmail.com>
>> wrote:
>> > I just received a cryptic email from Google stating that "one or more"
>> or my
>> > apps is using outdated SSL code.
>> >
>> > Is there some reliable way for me to find out what they are referring
>> to? I
>> > haven't implemented SSL into my apps, so it has to be some 3rd party
>> tool
>> > that's doing it.
>> >
>> > The email threatens that if I guess it wrong, my apps could be
>> suspended.
>> > Three or more policy violations usually equals account termination. I
>> could
>> > update all APIs used and I could still miss whatever is doing it
>> because it
>> > might be some feature built into the tool I used to write the apps.
>> >
>> > Google knows which apps are affected, and I need to find out what they
>> know.
>> >
>> > I've been unable to find a way to contact anyone at Google for help.
>> I've
>> > tried searching, but I keep ending up at the "help center".
>> >
>> > Is there some sort of email address for security issues?
>> Can you post the message headers from the original email? I'm
>> wondering if its a hoax.
>>
>> This is causing a number of concerns from folks around the web. But
>> the Google Security Blog does not mention it
>> (http://googleonlinesecurity.blogspot.com/).
>>
>> A hoax would make sense: its someone's prank; the emails lacks useful
>> details or information because its a prank; and Google has not taken
>> the time to explain it on their blogs because they did not send it.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-security-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to android-security-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
