Google play - security alert

I have a game on google play since 29th Oct 2014 and today this alert shows up in my developer console

Security alert

Your app is statically linking against a version of OpenSSL that has multiple security vulnerabilities. You should update OpenSSL as soon as possible.

The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m and 0.9.8za. To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL""). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt.

To confirm that you've upgraded correctly, upload the updated version to the Developer Console and check back after five hours.

Please note: While it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play.

Can someone please explain me what's this all about?

Yeah this just popped up on my games as well. Do you use Crosswalk? also did you use any third party plugins?

Crosswalk was used for the build

Excluding all official pluigins, just the Paster as a third party one. From official ones probably AdmobAds is the one to cause some issue. Don't think array, browser, sprite, audio etc have something to do with it.

I have 2 crosswalk games on the market, and both of them have the alert as well.

Yesterday this alert disappeared after some time but today it's back again.

Today is the first time I noticed it; but that isn't saying much It could have been there for a while. I would have to believe that Admob is the issue; as it is the only thing in my apps that even uses the network, let alone secure connections.

mjg7876 I don't think it is Admob, a couple of apps I have that have no Ads (admob or otherwise) are getting this alert also. One of them has no outbound links whatsoever.

Just got an email from Google Play about this.

same over here

Same notifications here. Anyone has a clue on this?

+1

I got this for a few months already:

"Security alert

This app is built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.

You should upgrade to Apache Cordova v3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcements ... d-351.html

Please note, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play."

— has said these security flags are fixed in Crosswalk 9, which is due to be released soon.

So, one of my games that had the alert no longer has it,yet another still does. One difference between the 2 is the one with the alert uses google play services for a leaderboard, the other does not. Anyone else with the alert use google play services? Also was that reply from — about this alert, or about the XAS alert?

Hi,

I recompiled my apps and updated them in the play-store. For several weeks there was no message an I thought, that an updated of Construct 2 or the IntelXDK might have solved the issue - but on yesterday the open-ssl-message returned again.

There is absolutely no link visible to openssl inside crosswalk. So it might make sense to change the framework? Does somebody know any alternatives?

best regards