Android Google Play 和 OpenSSL 警告消息
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24197777/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Google Play and OpenSSL warning message
提问by Hyndrix
I just received an email from Google play stating:
我刚刚收到一封来自 Google Play 的电子邮件,内容如下:
Hello,
One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.
Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
Regards,
Google Play Team
?2014 Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043
Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.
你好,
您的一个或多个应用程序运行的是 OpenSSL 的过时版本,该版本存在多个安全漏洞。您应该尽快更新 OpenSSL。有关 OpenSSL 中最新安全漏洞的更多信息,请参阅 http://www.openssl.org/news/secadv_20140605.txt。
请注意,虽然尚不清楚这些特定问题是否会影响您的应用程序,但存在使用户面临被入侵风险的漏洞的应用程序可能被视为“危险产品”,并可能会从 Google Play 中删除。
问候,
谷歌游戏团队
?2014 Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043
电子邮件首选项:您收到了此强制性电子邮件服务通知,目的是让您了解 Google Play 帐户的重要变化。
I have not explicitely included OpenSSL in any of my apps. The apps which use the Android NDK are using NDK 9d (the latest). The only external native libraries I do use are ffmpeg and OpenCV and some advertising libraries which do not have native code included.
我没有在我的任何应用程序中明确包含 OpenSSL。使用 Android NDK 的应用程序使用 NDK 9d(最新)。我使用的唯一外部本机库是 ffmpeg 和 OpenCV 以及一些不包含本机代码的广告库。
Where else could OpenSSL be included causing this warning?
还可以在哪里包含 OpenSSL 导致此警告?
Regards,
问候,
回答by caller9
I wrote a bash script which will display the OpenSSL versions of anything statically linked in your app and whether TLS heartbeat methods are included.
我编写了一个 bash 脚本,它将显示您的应用程序中静态链接的任何内容的 OpenSSL 版本,以及是否包含 TLS 心跳方法。
This worked on a handful of APKs I threw at it. The OpenSSL version string is being specifically extracted with a version number and date. If Google flags the APK and this can't find it, relax the OpenSSL regex in the egrep command to just "OpenSSL" and see where that gets you.
这适用于我扔给它的一些 APK。使用版本号和日期专门提取 OpenSSL 版本字符串。如果 Google 标记了 APK 并且无法找到它,请在 egrep 命令中将 OpenSSL 正则表达式放宽为“OpenSSL”,然后看看可以找到您的位置。
Put the following in a file e.g. testopenssl.sh
将以下内容放入文件中,例如 testopenssl.sh
usage: ./testopenssl.sh APK_File
用法:./testopenssl.sh APK_File
#!/bin/bash
sslworkdir="ssl_work_dir"
if [ ! -d $sslworkdir ]; then
mkdir $sslworkdir
fi
unzip -q "" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'\r\n'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSL\s\d+\.\d+\.\d+\w+\s\d+\s\w+\s\d+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
echo "Found OpenSSL versions"
printf "%s\n" "${opensslarr[@]}"
heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#heartbeatarr[@]} -gt 0 ]; then
echo "Files that contains heartbeat methods:"
printf "%s\n" "${heartbeatarr[@]}"
else
echo "No libraries contain heartbeat methods"
fi
else
echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir
回答by jww
According to Eric Davis on the Android Security Discussionsmailing list in response to Security Alert: You are using a highly vulnerable version of OpenSSL:
根据Android 安全讨论邮件列表上的 Eric Davis回应安全警报:您正在使用高度易受攻击的 OpenSSL 版本:
- You can determine which apps are using OpenSSL via
("$ unzip -p YourApp.apk | strings | grep "OpenSSL"") - Please update all statically linked versions of OpenSSL to 1.0.1h, 1.0.0m, or 0.9.8za. (Note by jww: this version will change over time as new versions of OpenSSL are released).
- If you are using a 3rd party library that bundles OpenSSL, please notify the 3rd party and work with them to address this.
- 您可以通过以下方式确定哪些应用程序正在使用 OpenSSL
("$ unzip -p YourApp.apk | strings | grep "OpenSSL"") - 请将 OpenSSL 的所有静态链接版本更新为 1.0.1h、1.0.0m 或 0.9.8za。(jww 注意:随着新版本的 OpenSSL 的发布,这个版本会随着时间的推移而改变)。
- 如果您使用的是捆绑 OpenSSL 的 3rd 方库,请通知 3rd 方并与他们合作解决此问题。
When you get this message, you should update boththe NDK and IDE you are using. I've seen reports of some versions of the NDK including a downlevel header. I also suspect the IDE you are using could be providing a downlevel OpenSSL version (I don't use the IDEs on Android, so I have not encountered it).
当您收到此消息,您应该更新双方的NDK和IDE你正在使用。我已经看到一些 NDK 版本的报告,包括一个下级标题。我还怀疑您使用的 IDE 可能提供了较低级别的 OpenSSL 版本(我没有在 Android 上使用 IDE,所以我没有遇到过)。
Ifyou are not directly using OpenSSL, then the SDKs are providing the vulnerable version of OpenSSL. In this case, you should update your SDKs. If you need to locate the downlevel OpenSSL among SDKs, then see How to check which dependancy causes OpenSSL vulnerability.
如果您不直接使用 OpenSSL,那么 SDK 将提供易受攻击的 OpenSSL 版本。在这种情况下,您应该更新您的 SDK。如果您需要在 SDK 中定位下层 OpenSSL,请参阅如何检查导致 OpenSSL 漏洞的依赖项。
Google also provides Updating Your Security Provider to Protect Against SSL Exploits, but I suspect it will still trigger the message because it appears to be a basic string search.
Google 还提供了更新您的安全提供程序以防止 SSL 漏洞利用,但我怀疑它仍然会触发该消息,因为它似乎是一个基本的字符串搜索。
Its often easier to update everything rather than trying to figure out who is providing the down level version of OpenSSL. After you spend the time to determine who is providing it, your actionable item is the same: update the SDK. So why waste time on it; just update all of them and enjoy the other bug fixes, too.
更新所有内容通常更容易,而不是试图找出谁提供了 OpenSSL 的低级版本。在您花时间确定谁提供它之后,您的可操作项目是相同的:更新 SDK。那么为什么要浪费时间呢?只需更新所有这些并享受其他错误修复。
There are still open questions, though: if one uses the cryptography from libcrypto(for example (RAND_bytesor EVP_encrypt) and not the SSL/TLS functions from libssl(for example, SSL_connect), will it still trigger the warning? That is, is Google scanning for use of vulnerable functions, or is Google scanning for OpenSSL version via strings.
还有未解决的问题,虽然:如果使用从加密libcrypto(例如(RAND_bytes或EVP_encrypt)而不是SSL /从TLS功能libssl(例如,SSL_connect?),将它仍然触发警告也就是说,是谷歌扫描的使用易受攻击的功能,或者谷歌通过strings.
回答by kads
I also have this problem because the version of Facebook's SDK I am using is not updated. So if you are using it too, just try to use the updated version of Facebook's SDK v3.21.1, and that warning is solved.
我也有这个问题,因为我使用的 Facebook SDK 版本没有更新。因此,如果您也在使用它,请尝试使用 Facebook SDK v3.21.1 的更新版本,该警告已解决。
回答by Ali Raza
If you are using cocos2dx then you need to update curl library. Please download updated curl library from here http://cocostudio.download.appget.cn/Cocos2D-X/curl.zip
如果您使用的是 cocos2dx,那么您需要更新 curl 库。请从这里下载更新的 curl 库http://cocostudio.download.appget.cn/Cocos2D-X/curl.zip
and replace it with current curl library present in cocos2dx.
并将其替换为 cocos2dx 中存在的当前 curl 库。
For safe side please update your mac openssl version also, for this follow this link http://javigon.com/2014/04/09/update-openssl-in-osx/
为安全起见,请同时更新您的 mac openssl 版本,为此请点击此链接 http://javigon.com/2014/04/09/update-openssl-in-osx/
回答by Kalu Khan Luhar
I had this issue, I am using ffmpeg lib and .so files, I resolved issue by below steps: First, I use Android Studio. So, if you're using Eclipse, try to find your own way.
我遇到了这个问题,我使用的是 ffmpeg lib 和 .so 文件,我通过以下步骤解决了问题:首先,我使用 Android Studio。因此,如果您正在使用 Eclipse,请尝试找到自己的方式。
The cause of the issue is the libavformat.so file which is using OpenSSL 1.0.2d. We need to update it. But, just updating libavformat.so will cause crashing, so we need to update all relating lib (javacv and javacpp).
问题的原因是使用 OpenSSL 1.0.2d 的 libavformat.so 文件。我们需要更新它。但是,仅仅更新 libavformat.so 会导致崩溃,所以我们需要更新所有相关的 lib(javacv 和 javacpp)。
Download javacv-1.2-bin.zip and javacpp-1.2.3-bin.zip from https://github.com/bytedeco/javacvand https://github.com/bytedeco/javacpp
Extract them and copy
ffmpeg.jar,javacpp.jar,javacv.jarandopencv.jarto[yourproject]\libs.- Extract
ffmpeg-android-arm.jarandopencv-android-arm.jar(find them after extractingjavacv-1.2-bin.zip), you will collect new version of .so files. - Replace the old files in
[yourproject]\src\main\jniLibs\armeabi-v7awith new version (just almost .so files will be replaced, not all of them) - Sometimes, you need to copy
javacpp-presets-1.2.pomfile to[yourproject]\libs, too. You can search it on Google. Modify the module
build.gradleof your projectapply plugin: 'com.android.library' android { compileSdkVersion 23 buildToolsVersion "23.0.3" defaultConfig { minSdkVersion 14 targetSdkVersion 23 } buildTypes { release { minifyEnabled false proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' } } packagingOptions { exclude 'META-INF/services/javax.annotation.processing.Processor' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.properties' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.properties' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/1.2/javacpp-presets-1.2.pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/org.bytedeco.javacpp-presets-1.2.pom.xml' } } configurations { all*.exclude group: 'org.bytedeco', module: 'javacpp-presets' } repositories { mavenCentral() } dependencies { compile 'com.android.support:support-v4:23.2.1' compile files('libs/opencv.jar') //1.2 compile files('libs/javacv.jar') //1.2 compile files('libs/javacpp.jar') //1.2.3 compile files('libs/ffmpeg.jar') //1.2 }Clean project and rebuild.
从https://github.com/bytedeco/javacv和https://github.com/bytedeco/javacpp下载 javacv-1.2-bin.zip 和 javacpp-1.2.3-bin.zip
他们提取,复制
ffmpeg.jar,javacpp.jar,javacv.jar和opencv.jar到[yourproject]\libs。- 提取
ffmpeg-android-arm.jar并opencv-android-arm.jar(提取后找到它们javacv-1.2-bin.zip),您将收集新版本的 .so 文件。 [yourproject]\src\main\jniLibs\armeabi-v7a用新版本替换旧文件(几乎 .so 文件将被替换,而不是全部)- 有时,您也需要将
javacpp-presets-1.2.pom文件复制到[yourproject]\libs。你可以在谷歌上搜索。 修改
build.gradle你的项目的模块apply plugin: 'com.android.library' android { compileSdkVersion 23 buildToolsVersion "23.0.3" defaultConfig { minSdkVersion 14 targetSdkVersion 23 } buildTypes { release { minifyEnabled false proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' } } packagingOptions { exclude 'META-INF/services/javax.annotation.processing.Processor' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.properties' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.properties' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/1.2/javacpp-presets-1.2.pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/org.bytedeco.javacpp-presets-1.2.pom.xml' } } configurations { all*.exclude group: 'org.bytedeco', module: 'javacpp-presets' } repositories { mavenCentral() } dependencies { compile 'com.android.support:support-v4:23.2.1' compile files('libs/opencv.jar') //1.2 compile files('libs/javacv.jar') //1.2 compile files('libs/javacpp.jar') //1.2.3 compile files('libs/ffmpeg.jar') //1.2 }清理项目并重建。
Reference- kieukhuongthinh'scomment
参考- kieukhuongthinh 的评论
