1

I have an Android app that is using some .jar file (libraries). My app is being rejected for OpenSSL vulnerabilities, but can't find the .jar file that contains OpenSSL.

How do I search the .jar files for Openssl on my MAC?

grep Openssl.class /Users/joon/work/androidApp/*.jar

UPDATE===

Here are my dependencies and Jars. When I run the grep command mentioned below it doesn't tell me which jar is the issue just that I have an old version of the OpenSSL. Further, some of the jars below, like Bouncy Castle, whether they have OpenSSL or not, have not been updated since 2013, which is before the OpenSSL security fix. We tried removing each of the jars, one by one, and recompiling + cleaning (commenting out the code so it would compile), but it still says the old OpenSSL is in use. Can anyone point to the culprit below?

JARS:
httpmime-4.1.3.jar
libGoogleAnalyticsServices.jar
opentok-android-sdk-2.3.1.jar
sc-light-jdk15on-1.47.0.2.jar
scpkix-jdk15on-1.47.0.2.jar
scprov-jdk15on-1.47.0.2.jar
socketio.jar


dependencies {
    compile fileTree(dir: 'libs', include: ['*.jar'])
    compile 'com.android.support:appcompat-v7:21.+'
    compile 'com.google.android.gms:play-services-maps:6.5.+'
    compile 'com.crashlytics.android:crashlytics:1.+'
}
jww
  • 97,681
  • 90
  • 411
  • 885
jdog
  • 10,351
  • 29
  • 90
  • 165
  • Also see [How to determine which dependency causes Google Play OpenSSL warning?](http://stackoverflow.com/a/38190080/608639) – jww Jul 21 '16 at 22:30

1 Answers1

1

How do I search the .jar files for Openssl on my MAC?

You can check the JAR files with the following script:

#!/usr/bin/env bash

JAR_FILES=("httpmime-4.1.3.jar"
           "libGoogleAnalyticsServices.jar"
           "opentok-android-sdk-2.3.1.jar"
           "sc-light-jdk15on-1.47.0.2.jar"
           "scpkix-jdk15on-1.47.0.2.jar"
           "scprov-jdk15on-1.47.0.2.jar"
           "socketio.jar")

for jar_file in "${JAR_FILES[@]}"
do
    echo "************ $jar_file ************"
    grep '1.0.1h' "$jar_file"
done

You should replace the string '1.0.1h' with the vulnerable OpenSSL version being reported to you. Be sure to retain the single quote because the period is a literal in 1.0.1h.

Another way to do it is:

find /Users/joon/work/androidApp/ -name '*.jar' -exec grep 'Openssl.class' {} \;

Or:

find /Users/joon/work/androidApp/ -name '*.jar' -exec grep '1.0.1h' {} \;

On OS X, this is helpful too:

find "$HOME" -name '.DS_Store' -exec rm -f {} \;

It removes those .DS_Store files that get created in every directory and subsequently added to archives like ZIP files.

jww
  • 97,681
  • 90
  • 411
  • 885