2

I am using the latest version of the Twilio Android SDK in a commercial application (and paying Twilio for the privilege). Based on https://support.google.com/faqs/answer/6376725, Google Play Store is going to stop allowing us update our apps in the store past July 11th 2016 as a result of the 'Logjam' vulnerability. This is due to the fact that the latest version of Twilio has OpenSSL 1.0.1k bundled; whereas the security vulnerability is only removed in 1.01r (or 1.02f).

I have sent a message to Twilio support on this issue but have no idea about their response time. Is anyone else having the issue? Does anyone know how quickly Twilio tend to update their bundled version of OpenSSL? Or if they have plans to update to 1.01r anytime soon? Or indeed, how often they tend to reply to queries on their 'Talk to Support' page?

Megan Speir
  • 3,745
  • 1
  • 15
  • 25
Villa
  • 459
  • 7
  • 17

1 Answers1

3

Twilio responded just now (impressed with the speedy reply). Here is what they said:

Thank you for contacting us, this is indeed a valid concern.

We have just released Android Client version 1.2.11, which can be downloaded from:

http://media.twiliocdn.com/sdk/android/client/latest/twilio-client-android.tar.bz2

Our change log on the website will be updated in the next day or two; therefore, I am enclosing the release notes for your review.

Release Notes: Twilio Client SDK for Android 1.2.11

1.2.11 (Apr. 14th, 2016)

CLIENT-2103 - OpenSSL has been upgraded to 1.0.1s. This version satisfies recent warnings seen by publishers to the Google Play store.
CLIENT-2321 - MIPS architecture support has been removed.
CLIENT-2338 - In an application with targetSDKVersion 23 or higher, the SDK will now fail to initialize (and log an error) if the user has not granted runtime microphone permissions.

Bug Fixes CLIENT-2027 - Resolved an UnsatisfiedLinkError when running Android 6 on x86 devices/emulators due to text relocations.
CLIENT-2104 - Fixed a sporadic UnsatisfiedLinkError occuring when attempting to load the Twilio library on older devices.
CLIENT-2367 - The SDK no longer fires a Device.OnStopListening event when the PresenceEvent server disconnects.
CLIENT-2325 - Twilio.getVersion() now returns only Major.Minor.Patch.

Might help others with the same problem :)

jww
  • 97,681
  • 90
  • 411
  • 885
Villa
  • 459
  • 7
  • 17