I have an app published on Google Play and I received an email saying that my app have an issue with Cordova version and OpenSSL version. I downloaded and applied a fix on my app for WorkLight 6.0.2 and rebuild and redeployed to Google Store. The Cordova warning stopped, but the OpenSSL still there.
My WorkLight version is:
I did a grep on my .apk file and had this result:
unzip -p myApp.apk | strings | grep "OpenSSL"
and
Reading some articles I guess that the problem is on OpenSSL 1.0.xxx, and seeing the grep results I have two OpenSSL versions 1.0.1 and 1.1.0. I don't know if my app have some third part library that's using the old OpenSSL version. I'm using Xtify in this project. Maybe here is the problem?
I know that stack overflow had another posts about this OpenSSL issue but no one about this issue on worklight + xtify.
thanks!
Please note that Worklight v6.0.2 is not vulnerable to CVE-2016-0701 and CVE-2015-3197.
However, we are aware that Google is flagging the version of OpenSSL currently embedded with Worklight v6.0.2. We are updating the OpenSSL library to make sure it does not continue to trigger false positives as part of the Google Play review process.
The issue is being addressed through an iFix. The APAR that addresses it is: PI60605 OPENSSL RECEIVED SECURITY UPDATES AND MUST BE UPGRADED TO 1.0.2F (105608).
If you have questions or concerns about security vulnerabilities in our product, please report them through PMRs.
I hope this helps.