1

I have an app on Google play store. Recently i got a mail subjected:

Google Play 60-day deadline for resolving OpenSSL vulnerabilities

It states that i'm using a version of OpenSSL, which is vulnerable to some issues. However, i'm not using OpenSSL directly. I'm using OpenTok library for Video chatting feature, which internally uses OpenSSL. I'm currently using openTok SDK version 2.3.1. But according to this link http://www.tokbox.com/blog/mobile-sdks-2-2-1-resolve-openssl-vulnerability/ all OpenSSL vulnerabilities were solved from SDK version 2.2.1 onwards. (I'm currently using 2.3.1, which came must later after 2.2.1)

I used the below command on my android application (APK file):

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

I got the below logs:

"OpenSSL"
GmsCore_OpenSSL
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::Error(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE, 
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::Write(
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default user interface
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::Error(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE, 
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::Write(
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default user interface

From the above logs i get a confirmation that in my current apk, OpenTok is using OpenSSL OpenSSL 1.0.1e.

Hence i have update the OpenTok library with the latest version which comes with opentok-android-sdk-2.5.0. After integrating/updating to the new library, i execute the below command:

  $ unzip -p YourApp.apk | strings | grep "OpenSSL"

Below are the logs for the APK with update OpenTok library:

"OpenSSL"
GmsCore_OpenSSL
OpenSSL EC algorithm
OpenSSL HMAC method
OpenSSL RSA method
OpenSSLAdapter::Error(
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::Write(
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE, 
OpenSSL EC algorithm
OpenSSL HMAC method
OpenSSL RSA method
OpenSSLAdapter::Error(
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::Write(
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE,

Here, we do not see any version of OpenSSL in the obtained logs.

So my questions are:

  • Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?
  • Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?
  • Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)

Note:

I have gone through this Google Play and OpenSSL warning message post and all the solutions provided there but i'm not able to get the OpenSSL version.

Any information on this shall be really helpful. Thanks in advance.

Community
  • 1
  • 1
Zax
  • 2,870
  • 7
  • 52
  • 76
  • *"I'm currently using openTok SDK version 2.3.1..."* - You should probably be using the latest version, which appears to be 2.5.1. That avoids OpenSSL altogether because of the switch to BoringSSL at version 2.4. – jww May 14 '15 at 11:27
  • @jww: Will do so. But after updating to the latest version, the openssl version details disappears from the command: unzip -p apk | strings | grep "OpenSSL" – Zax May 14 '15 at 11:29
  • 1
    *"after updating to the latest version, the openssl version details disappears..."* - perfect, it sounds like its no longer a problem for you. – jww May 14 '15 at 11:31

1 Answers1

1

Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?

Probably to Maybe. The script Google uses to police OpenSSL is pretty dumb. They flag OpenSSL for versions numbers, and not use of vulnerable functions. Since there's no version information, the script may not trigger on what it believes to be a bad version.

Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?

Yes, use the strings program to dump the OpenSSL strings.

Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)

I believe you need to check with the OpenTok folks here. It looks like OpenTok switched to BoringSSL at version 2.4.0. BoringSSL is Google's fork of OpenSSL.

jww
  • 97,681
  • 90
  • 411
  • 885
  • Thanks for the answer. Is there a way to like if i upload the new apk, will google play folks first inform me before blocking my app? If OpenTok is using BoringSSL v2.4.0, Does it mean the will not block my app?? – Zax May 14 '15 at 11:18
  • @Zax - I don't know what controls Google Play has. It seems like a good idea to scan on upload and provide the developer with feedback. But I don't know if Google Play is doing it because I don't use Google Play. (I use Cyanogenmod, which does not have a default app store or its integration). – jww May 14 '15 at 11:22
  • 1
    As I mentioned in the blog post, 2.2.1 (and all future releases before we moved to BoringSSL) have OpenSSL with necessary security patches but *not* an update to the version string, so the `strings` dump jww mentioned is going to give you a false positive for the vulnerabilities that Google Play is going after. Upgrading the OpenTok SDK is indeed the easiest way through the woods here. – wobbals May 14 '15 at 15:54