Google play - security alert

Discussion and feedback on Construct 2

Post » Thu Dec 18, 2014 1:56 pm

+1
B
34
S
6
G
3
Posts: 67
Reputation: 3,618

Post » Thu Dec 18, 2014 11:54 pm

I got this for a few months already:

"Security alert
This app is built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.
You should upgrade to Apache Cordova v3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcements ... d-351.html
Please note, applications with vulnerabilities that expose users to risk of compromise may be considered "dangerous products" and subject to removal from Google Play."

@Intel_Roberts has said these security flags are fixed in Crosswalk 9, which is due to be released soon.
B
70
S
24
G
19
Posts: 1,757
Reputation: 17,614

Post » Fri Dec 19, 2014 3:16 am

B
21
S
5
G
1
Posts: 102
Reputation: 1,741

Post » Mon Dec 22, 2014 4:00 am

So, one of my games that had the alert no longer has it,yet another still does. One difference between the 2 is the one with the alert uses google play services for a leaderboard, the other does not. Anyone else with the alert use google play services? Also was that reply from @Intel_Roberts about this alert, or about the XAS alert?
B
4
Posts: 12
Reputation: 272

Post » Sat Jan 17, 2015 6:30 am

Hi,


I recompiled my apps and updated them in the play-store. For several weeks there was no message an I thought, that an updated of Construct 2 or the IntelXDK might have solved the issue - but on yesterday the open-ssl-message returned again.
There is absolutely no link visible to openssl inside crosswalk. So it might make sense to change the framework? Does somebody know any alternatives?

best regards
B
3
Posts: 1
Reputation: 177

Post » Sat Jan 17, 2015 10:34 am

I fixed all of these in late 2014, wake up today and all of the alerts are back again. Anyone know anything?
B
8
S
1
Posts: 90
Reputation: 644

Post » Sat Jan 17, 2015 1:57 pm

From my experience with how the inners of APKs work, basically there is a link or a web request in the apps somewhere that is requesting a secure link. That warning is saying that the server that is hosting that secure link is using OpenSSL. I couldn't help you more otherwise. The only thing I could suggest is look at the exported code, both from Construct and from XDK, and see where there are request to any HTTPS links. You would have to investigate what those links are used for, where they are connecting, etc...
Kurieus
Come visit and play Blast Box!
B
15
S
3
Posts: 205
Reputation: 1,349

Post » Sat Jan 17, 2015 7:20 pm

Just update Intel XK, rebuild your app and reupload to Google.
Image
B
16
S
7
Posts: 126
Reputation: 1,910

Previous

Return to Construct 2 General

Who is online

Users browsing this forum: Jeffjn, kiki4construct and 3 guests