1

I guess more than one received one mail from Google Play with the Message :

"Hello Google Play Developer,

We wanted to let you know that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users. Please migrate your app(s) to an updated version of OpenSSL by 7/7/15. Starting on this date, Google Play will block publishing of any new apps and updates that use unsupported versions of OpenSSL.

REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement. The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via:

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

For more information about the vulnerability, please see this OpenSSL Security Advisory. To confirm you’ve upgraded correctly, submit the updated version of the app(s) to the Developer Console and check back after five hours. Starting on 7/7/15, we will not accept app updates containing the vulnerabilities. Any new apps containing the vulnerabilities will be rejected."

So i read many posts about this , like Post 1 , Post 2 and others. and i must say that in my first version of app i don't use any library, all from Android ( I use webview ) and when i use "unzip -p YourApp.apk | strings | grep "OpenSSL"" in my first app i dont have any OpenSSL.

  • Does this mean that i have received the mail because maybe i signed apk with a old OpenSSL ? ( I use Windows , Android Studio. ) If so , should i make a signed apk manually with the last version of OpenSSL ?

  • Or does my apk must have OpenSSL required ?

In my present version i use library like : app-compact:22.2.0 ( from android,latest version ) , gms:7.5.0 ( from android, latest version ) and volley ( 1.0.16 ) and when i use "unzip -p YourApp.apk | strings | grep "OpenSSL"" gives me like result GmsCore_OpenSSL . I guess GmsCore_OpenSSL is from the library of gms so is native from Android .

  • Does this mean he has the latest OpenSSL ?
  • Do I need to initialize this in some place ?

Thank you advanced,

Community
  • 1
  • 1
Ionel
  • 31
  • 3
  • 11
  • Possible duplicate of [Google Play and OpenSSL warning message](http://stackoverflow.com/questions/24197777/google-play-and-openssl-warning-message). Ensure all your libraries, frameworks and SDKs are up to date. – jww Jul 13 '15 at 11:50
  • I know that post , and like you can see i post about that url in my question, and by the way i have all updated and latest sdk , library. But like you can see my questions are distinct. – Ionel Jul 13 '15 at 12:01

1 Answers1

1

The tool you use to sign the APK doesn't matter. If you already searched every file in the APK and couldn't find any uses of old OpenSSL, the next step is to check all the files that your APK uses indirectly.

There was one case of an App that downloaded Busybox, and Busybox contained curl, which contained an old version of OpenSSL, which caused it to get flagged.

So if you are downloading any native code libraries, run strings | grep "OpenSSL" and make sure they are up to date too.

Antimony
  • 37,781
  • 10
  • 100
  • 107