OpenSSL App rejection issue Android

Question

After researching so much, I still could not figure out what part of my app is using OpenSSL that is not accepted by Google.

After querying the below command, I received the output as:

unzip -p MyApp.apk | strings | grep "OpenSSL"

GmsCore_OpenSSL
OpenSSLDie
ECDH_OpenSSL
ECDSA_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
UI_OpenSSL
SSLv2 part of OpenSSL 1.0.1e 11 Feb 2013
SSLv3 part of OpenSSL 1.0.1e 11 Feb 2013
TLSv1 part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 1.0.1e 11 Feb 2013
DTLSv1 part of OpenSSL 1.0.1e 11 Feb 2013
%s(%d): OpenSSL internal error, assertion failed: %s
AES part of OpenSSL 1.0.1e 11 Feb 2013
ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013
Blowfish part of OpenSSL 1.0.1e 11 Feb 2013
Big Number part of OpenSSL 1.0.1e 11 Feb 2013
CONF_def part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default
CONF part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL CMAC method
libdes part of OpenSSL 1.0.1e 11 Feb 2013
DES part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL PKCS#3 DH method
OpenSSL DH Method
Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL DSA method
DSA part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 'dlfcn' shared library method
OpenSSL EC algorithm
ECDH part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL ECDH method
ECDSA part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL ECDSA method
EVP part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL HMAC method
lhash part of OpenSSL 1.0.1e 11 Feb 2013
MD4 part of OpenSSL 1.0.1e 11 Feb 2013
MD5 part of OpenSSL 1.0.1e 11 Feb 2013
PEM part of OpenSSL 1.0.1e 11 Feb 2013
RAND part of OpenSSL 1.0.1e 11 Feb 2013
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
RC2 part of OpenSSL 1.0.1e 11 Feb 2013
RC4 part of OpenSSL 1.0.1e 11 Feb 2013
RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL RSA method
RSA part of OpenSSL 1.0.1e 11 Feb 2013
SHA1 part of OpenSSL 1.0.1e 11 Feb 2013
SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013
SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013
Stack part of OpenSSL 1.0.1e 11 Feb 2013
TXT_DB part of OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default user interface
X.509 part of OpenSSL 1.0.1e 11 Feb 2013
MSG: DTLS-SRTP enabled but not supported. Please rebuild the code with this option enabled (requires OpenSSL 1.0.1+)
_ZN5resip12BaseSecurity20OpenSSLCTXSetOptionsE
_ZN5resip12BaseSecurity22OpenSSLCTXClearOptionsE
_ZN5resip12BaseSecurity21parseOpenSSLCTXOptionERKNS_4DataE
_Z23handleOpenSSLErrorQueueimPKc
_ZN5resip11OpenSSLInit4initEv
resip_OpenSSLInit_threadIdFunction
_ZN5resip11OpenSSLInitD2Ev
_ZN5resip11OpenSSLInit12mInitializedE
_ZN5resip11OpenSSLInit8mMutexesE
resip_OpenSSLInit_lockingFunction
_ZN5resip11OpenSSLInitC2Ev
_ZN5resip11OpenSSLInitC1Ev
_ZN5resip11OpenSSLInitD1Ev
resip_OpenSSLInit_dynCreateFunction
resip_OpenSSLInit_dynDestroyFunction
resip_OpenSSLInit_dynLockFunction
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
Not a recognized OpenSSL option name: 
SSL_CTX_new failed, dumping OpenSSL error stack:
OpenSSL error stack: 
Failed to create OpenSSL BIO for socket
OpenSSL 1.0.2a 19 Mar 2015
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL DH Method
OpenSSL X9.42 DH method
OpenSSL PKCS#3 DH method
OpenSSL default
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL ECDH method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
TLSv1 part of OpenSSL 1.0.2a 19 Mar 2015
SSLv3 part of OpenSSL 1.0.2a 19 Mar 2015
DTLSv1 part of OpenSSL 1.0.2a 19 Mar 2015
MD5 part of OpenSSL 1.0.2a 19 Mar 2015
SHA1 part of OpenSSL 1.0.2a 19 Mar 2015
SHA-256 part of OpenSSL 1.0.2a 19 Mar 2015
SHA-512 part of OpenSSL 1.0.2a 19 Mar 2015
Big Number part of OpenSSL 1.0.2a 19 Mar 2015
EC part of OpenSSL 1.0.2a 19 Mar 2015
iRSA part of OpenSSL 1.0.2a 19 Mar 2015
Diffie-Hellman part of OpenSSL 1.0.2a 19 Mar 2015
Stack part of OpenSSL 1.0.2a 19 Mar 2015
lhash part of OpenSSL 1.0.2a 19 Mar 2015
EVP part of OpenSSL 1.0.2a 19 Mar 2015
ASN.1 part of OpenSSL 1.0.2a 19 Mar 2015
PEM part of OpenSSL 1.0.2a 19 Mar 2015
X.509 part of OpenSSL 1.0.2a 19 Mar 2015
CONF part of OpenSSL 1.0.2a 19 Mar 2015
CONF_def part of OpenSSL 1.0.2a 19 Mar 2015
DES part of OpenSSL 1.0.2a 19 Mar 2015
libdes part of OpenSSL 1.0.2a 19 Mar 2015
AES part of OpenSSL 1.0.2a 19 Mar 2015
RC2 part of OpenSSL 1.0.2a 19 Mar 2015
IDEA part of OpenSSL 1.0.2a 19 Mar 2015
CAMELLIA part of OpenSSL 1.0.2a 19 Mar 2015
EDSA part of OpenSSL 1.0.2a 19 Mar 2015
ECDSA part of OpenSSL 1.0.2a 19 Mar 2015
ECDH part of OpenSSL 1.0.2a 19 Mar 2015
RAND part of OpenSSL 1.0.2a 19 Mar 2015
TXT_DB part of OpenSSL 1.0.2a 19 Mar 2015
MD4 part of OpenSSL 1.0.2a 19 Mar 2015
SHA part of OpenSSL 1.0.2a 19 Mar 2015
RIPE-MD160 part of OpenSSL 1.0.2a 19 Mar 2015
3RC4 part of OpenSSL 1.0.2a 19 Mar 2015
Blowfish part of OpenSSL 1.0.2a 19 Mar 2015
\CAST part of OpenSSL 1.0.2a 19 Mar 2015
_ZN5resip12BaseSecurity20OpenSSLCTXSetOptionsE
_ZN5resip12BaseSecurity22OpenSSLCTXClearOptionsE
_ZN5resip12BaseSecurity21parseOpenSSLCTXOptionERKNS_4DataE
_Z23handleOpenSSLErrorQueueimPKc
_ZN5resip11OpenSSLInit4initEv
resip_OpenSSLInit_threadIdFunction
_ZN5resip11OpenSSLInitD2Ev
_ZN5resip11OpenSSLInit12mInitializedE
_ZN5resip11OpenSSLInit8mMutexesE
resip_OpenSSLInit_lockingFunction
_ZN5resip11OpenSSLInitC2Ev
_ZN5resip11OpenSSLInitC1Ev
_ZN5resip11OpenSSLInitD1Ev
resip_OpenSSLInit_dynCreateFunction
resip_OpenSSLInit_dynDestroyFunction
resip_OpenSSLInit_dynLockFunction
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
OpenSSL error stack: 
OpenSSL 1.0.2a 19 Mar 2015
OpenSSL DH Method
OpenSSL X9.42 DH method
OpenSSL PKCS#3 DH method
OpenSSL default
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL ECDH method
Not a recognized OpenSSL option name: 
SSL_CTX_new failed, dumping OpenSSL error stack:
Failed to create OpenSSL BIO for socket
%s(%d): OpenSSL internal error, assertion failed: %s
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
TLSv1 part of OpenSSL 1.0.2a 19 Mar 2015
SSLv3 part of OpenSSL 1.0.2a 19 Mar 2015
DTLSv1 part of OpenSSL 1.0.2a 19 Mar 2015
MD5 part of OpenSSL 1.0.2a 19 Mar 2015
SHA1 part of OpenSSL 1.0.2a 19 Mar 2015
SHA-256 part of OpenSSL 1.0.2a 19 Mar 2015
SHA-512 part of OpenSSL 1.0.2a 19 Mar 2015
Big Number part of OpenSSL 1.0.2a 19 Mar 2015
EC part of OpenSSL 1.0.2a 19 Mar 2015
RSA part of OpenSSL 1.0.2a 19 Mar 2015
Diffie-Hellman part of OpenSSL 1.0.2a 19 Mar 2015
Stack part of OpenSSL 1.0.2a 19 Mar 2015
lhash part of OpenSSL 1.0.2a 19 Mar 2015
EVP part of OpenSSL 1.0.2a 19 Mar 2015
ASN.1 part of OpenSSL 1.0.2a 19 Mar 2015
PEM part of OpenSSL 1.0.2a 19 Mar 2015
X.509 part of OpenSSL 1.0.2a 19 Mar 2015
CONF part of OpenSSL 1.0.2a 19 Mar 2015
CONF_def part of OpenSSL 1.0.2a 19 Mar 2015
DES part of OpenSSL 1.0.2a 19 Mar 2015
libdes part of OpenSSL 1.0.2a 19 Mar 2015
AES part of OpenSSL 1.0.2a 19 Mar 2015
RC2 part of OpenSSL 1.0.2a 19 Mar 2015
IDEA part of OpenSSL 1.0.2a 19 Mar 2015
DSA part of OpenSSL 1.0.2a 19 Mar 2015
ECDSA part of OpenSSL 1.0.2a 19 Mar 2015
ECDH part of OpenSSL 1.0.2a 19 Mar 2015
RAND part of OpenSSL 1.0.2a 19 Mar 2015
TXT_DB part of OpenSSL 1.0.2a 19 Mar 2015
MD4 part of OpenSSL 1.0.2a 19 Mar 2015
SHA part of OpenSSL 1.0.2a 19 Mar 2015
RIPE-MD160 part of OpenSSL 1.0.2a 19 Mar 2015
Blowfish part of OpenSSL 1.0.2a 19 Mar 2015
\CAST part of OpenSSL 1.0.2a 19 Mar 2015

As I am using different library jar files and a library.so file in my project, my question is how should I figure out which library causes this issue?. Which library file should I replace so that My app is not rejected again?

Any help is really appreciated.

Answer 1

After a long research, I did figured out that one of the library that I was using in my App was compiled using older OpenSSL version. ie, unsupported versions of OpenSSL. Hence the solution for me was to recompiled that library Jar using latest version of OpenSSL.

Further, All developers were informed/notified by Google in the following Email during June:

Hello Google Play Developer,

We wanted to let you know that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users. Please migrate your app(s) to an updated version of OpenSSL by 7/7/15. Starting on this date, Google Play will block publishing of any new apps and updates that use unsupported versions of OpenSSL.

REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement.

The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via:

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

For more information about the vulnerability, please see this OpenSSL Security Advisory. To confirm you’ve upgraded correctly, submit the updated version of the app(s) to the Developer Console and check back after five hours.

Starting on 7/7/15, we will not accept app updates containing the vulnerabilities. Any new apps containing the vulnerabilities will be rejected.

While these issues may not affect every app that uses OpenSSL versions prior to 1.0.1h, 1.0.0m, or 0.9.8za, it’s best to stay up to date on all security patches. Make sure to update any libraries in your app that have known issues, even if you're not sure the issues are relevant to your app.

Before publishing applications, please ensure your apps’ compliance with the Developer Distribution Agreement and Content Policy.

If you feel we’ve sent this warning in error, please contact our appeals team through the App Developer help center.

Sincerely,

Google Play Team

Hence you will have to figure out what part of your application uses older version of OpenSSL to resolve this issue. You also need to check if any jar file was compiled using older version of OpenSSL.

Hope this helps you in someway. Regards.