I think Eric Davis actually made it pretty clear what's needed.
Here's what it boils down to:
1. Scanning the apk for the insecure versions of OpenSSL is easy.
2. Doing extensive tests to verify that a particular app is NOT using
OpenSSL even though it's statically linking it is probably not practical
for Google to do.
3. If you're statically linking to an insecure version of OpenSSL, Google
wants you to link to one of the secure versions of OpenSSL.
My advice to you is follow Eric Davis' instructions on this matter. Google
is not going to make an exception in your case just because, even though
you're using an insecure version of OpenSSL, you're only using the safe
parts. There are probably tens of thousands of other developers who could
say exactly the same thing (including me).
On Tuesday, June 17, 2014 8:03:53 AM UTC-4, Philipp Nagele wrote:
>
> The same here. We have been approached by several clients, who are alarmed
> by the email. Our library uses OpenSSL but only parts from libcrypto, which
> are not affected by the hearbeat issue.
>
> Can you share more insights in the process here.
>
> Thx
> Phil
>
>
> Am Montag, 16. Juni 2014 00:04:51 UTC+2 schrieb Jeffrey Walton:
>>
>> On Sun, Jun 15, 2014 at 5:28 PM, Eric Davis <eda...@google.com> wrote:
>>
>>> Hi all,
>>>
>>> I’m on the Android Security Team. In response to your questions:
>>>
>>> (1) You can determine which apps are using OpenSSL via ("$ unzip -p
>>> YourApp.apk | strings | grep "OpenSSL"")
>>> (2) Please update all statically linked versions of OpenSSL to 1.0.1h,
>>> 1.0.0m, or 0.9.8za.
>>> (3) If you are using a 3rd party library that bundles OpenSSL, please
>>> notify the 3rd party and work with them to address this.
>>>
>> Did the scan test for use of vulnerable OpenSSL functions, or did it just
>> check for the presence of the strings?
>>
>> I ask because I build libraries using crypto (AES, HMAC and BIGNUMs) from
>> OpenSSL's libcrypto. I don't use the vulnerable functions from OpenSSL's
>> libssl. I ship the libraries I build to others (and I don't build GUI
>> programs that consume them).
>>
>> Jeff
>>
>>
>>>
>>> On Saturday, June 14, 2014 2:06:58 AM UTC-7, jayapal ravi wrote:
>>>
>>>> Here's the headers from mine, i am not sure.
>>>>
>>>> from: Google Play <googlepla...@google.com> reply-to:
>>>> googlepla...@google.com
>>>> to: jra*******@gmail.com
>>>> date: Thu, Jun 12, 2014 at 4:47 PM subject: Security Alert: You are
>>>> using a highly vulnerable version of OpenSSL mailed-by:
>>>> scoutcamp.bounces.google.com signed-by: google.com
>>>>
>>>> On Friday, June 13, 2014 12:38:25 PM UTC-7, Jeffrey Walton wrote:
>>>>>
>>>>> On Thu, Jun 12, 2014 at 9:30 PM, Neil Burlock <burloc...@gmail.com>
>>>>> wrote:
>>>>> > I just received a cryptic email from Google stating that "one or
>>>>> more" or my
>>>>> > apps is using outdated SSL code.
>>>>> >
>>>>> > Is there some reliable way for me to find out what they are
>>>>> referring to? I
>>>>> > haven't implemented SSL into my apps, so it has to be some 3rd party
>>>>> tool
>>>>> > that's doing it.
>>>>> >
>>>>> > The email threatens that if I guess it wrong, my apps could be
>>>>> suspended.
>>>>> > Three or more policy violations usually equals account termination.
>>>>> I could
>>>>> > update all APIs used and I could still miss whatever is doing it
>>>>> because it
>>>>> > might be some feature built into the tool I used to write the apps.
>>>>> >
>>>>> > Google knows which apps are affected, and I need to find out what
>>>>> they know.
>>>>> >
>>>>> > I've been unable to find a way to contact anyone at Google for help.
>>>>> I've
>>>>> > tried searching, but I keep ending up at the "help center".
>>>>> >
>>>>> > Is there some sort of email address for security issues?
>>>>> Can you post the message headers from the original email? I'm
>>>>> wondering if its a hoax.
>>>>>
>>>>> This is causing a number of concerns from folks around the web. But
>>>>> the Google Security Blog does not mention it
>>>>> (http://googleonlinesecurity.blogspot.com/).
>>>>>
>>>>> A hoax would make sense: its someone's prank; the emails lacks useful
>>>>> details or information because its a prank; and Google has not taken
>>>>> the time to explain it on their blogs because they did not send it.
>>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-security-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to android-security-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
