I am developing android apps in AndEngine and Cocos2dx.
I have received a mail today from Google Play, that says: "One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. ..."
I download an app called bluebox testing(HeartBleed Scanner).
What i found was, apps build using cocos2dx were the apps with openSSL while apps build using AndEngine were not in the list generated by heartbleed scanner.
Is there anyone who knows the issue exactly and how to solve it?

Right now i have found one solution. The apps build in cocos2dx have this line in Android.mk
$(call import-module,extensions)
I just removed that line and removed the errors.
Clean build my app and run it again.
It was surprisingly removed from open SSL list generated by HeartBleed Scanner. I hope it works for the guys using cocos2dx.

open ssl 1.0.1g has a vulnerability that is fixed in 1.0.1h. Check out the latest post here:

http://www.openssl.org/news/vulnerabilities.html