Google Play rejected app for using a vulnerable version of OpenSSL
cdm2012 opened this issue · 6 comments
My latest update to Google Play is returning the following error:
Your app utilizes a version of OpenSSL that contains one or more security vulnerabilities. Please migrate your app to OpenSSL 1.02f/1.01r or higher... If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher.
To confirm your OpenSSL version, you can do a grep search for:
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
I ran the following command to confirm your commit message "Updated to cURL 7.48 and OpenSSL 1.0.1s" and what Google stated in their email:
unzip -p ReelContent.16.07.23.3.apk | strings | grep "OpenSSL"
and I saw the following output:
UI_OpenSSL
OpenSSLDie
...
OpenSSL RSA method
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default
SSLv2 part of OpenSSL 1.0.1o 12 Jun 2015
...and much more
I have done some research into how to update your openssl submodule locally with The OpenSSl 1_0_2 branch, but I may need some assistance doing that.
Can you help with this, or should I consider options other than what I have already tried?
Make sure you're not using any other library that provides OpenSSL, which seems to be your case.
Check the full output of that command, or better yet, run this:
unzip -p ReelContent.16.07.23.3.apk | strings | grep "OpenSSL 1.0.1"
and see if you find the two versions: 1.0.1s comming from this library and 1.0.1o comming from your other libraries.
I plan to upgrade OpenSSL to 1.0.1t in a few days though, so if you're not sure, you can wait until I publish this. Upgrading to the 1.0.2 branch will take more time so I've been postponing it for a while.
Just updated OpenSSL to 1.0.1t
About to try your latest update (1.0.1t)...but, I did try your grep and also another one with "OpenSSL 1.0.1s", and I got no results for the 1.0.1s but here are the results of the grep that you posted "OpenSSL 1.0.1":
OpenSSL 1.0.1o 12 Jun 2015
SSLv2 part of OpenSSL 1.0.1o 12 Jun 2015
SSLv3 part of OpenSSL 1.0.1o 12 Jun 2015
TLSv1 part of OpenSSL 1.0.1o 12 Jun 2015
ASN.1 part of OpenSSL 1.0.1o 12 Jun 2015
Big Number part of OpenSSL 1.0.1o 12 Jun 2015
libdes part of OpenSSL 1.0.1o 12 Jun 2015
DES part of OpenSSL 1.0.1o 12 Jun 2015
Diffie-Hellman part of OpenSSL 1.0.1o 12 Jun 2015
DSA part of OpenSSL 1.0.1o 12 Jun 2015
EC part of OpenSSL 1.0.1o 12 Jun 2015
ECDH part of OpenSSL 1.0.1o 12 Jun 2015
ECDSA part of OpenSSL 1.0.1o 12 Jun 2015
EVP part of OpenSSL 1.0.1o 12 Jun 2015
lhash part of OpenSSL 1.0.1o 12 Jun 2015
MD4 part of OpenSSL 1.0.1o 12 Jun 2015
MD5 part of OpenSSL 1.0.1o 12 Jun 2015
PEM part of OpenSSL 1.0.1o 12 Jun 2015
RC2 part of OpenSSL 1.0.1o 12 Jun 2015
RIPE-MD160 part of OpenSSL 1.0.1o 12 Jun 2015
RSA part of OpenSSL 1.0.1o 12 Jun 2015
SHA1 part of OpenSSL 1.0.1o 12 Jun 2015
SHA-256 part of OpenSSL 1.0.1o 12 Jun 2015
SHA-512 part of OpenSSL 1.0.1o 12 Jun 2015
DlSHA part of OpenSSL 1.0.1o 12 Jun 2015
Stack part of OpenSSL 1.0.1o 12 Jun 2015
TXT_DB part of OpenSSL 1.0.1o 12 Jun 2015
X.509 part of OpenSSL 1.0.1o 12 Jun 2015
DTLSv1 part of OpenSSL 1.0.1o 12 Jun 2015
cU!
}AES part of OpenSSL 1.0.1o 12 Jun 2015
Blowfish part of OpenSSL 1.0.1o 12 Jun 2015
CONF part of OpenSSL 1.0.1o 12 Jun 2015
RAND part of OpenSSL 1.0.1o 12 Jun 2015
RC4 part of OpenSSL 1.0.1o 12 Jun 2015
ECONF_def part of OpenSSL 1.0.1o 12 Jun 2015
So, I have tried to isolate my native library usage to just your network library and a string library where I am using the source code directly, so unless Facebook or one of its dependencies is using a OpenSSL dependency that I don't see, other libraries should not be an issue here.
Also, The first time I ran the grep from Google, it was with my first version of curl-android-ios, that I had from a year ago and the ReelContent.16.07.23.1.apk file:
unzip -p ReelContent.16.07.23.1.apk | strings | grep "OpenSSL"
With the following results:
UI_OpenSSL
OpenSSLDie
DH_OpenSSL
DSA_OpenSSL
ECDH_OpenSSL
ECDSA_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
OpenSSL
could not load PEM client certificate, OpenSSL error %s, (no key found, wrong pass phrase, or wrong file format?)
could not load ASN1 client certificate, OpenSSL error %s, (no key found, wrong pass phrase, or wrong file format?)
could not parse PKCS12 file, check password, OpenSSL error %s
could not load PKCS12 client certificate, OpenSSL error %s
unable do create OpenSSL user-interface method
OpenSSL 1.0.1o 12 Jun 2015
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
OpenSSL RSA method
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default
SSLv2 part of OpenSSL 1.0.1o 12 Jun 2015
SSLv3 part of OpenSSL 1.0.1o 12 Jun 2015
TLSv1 part of OpenSSL 1.0.1o 12 Jun 2015
ASN.1 part of OpenSSL 1.0.1o 12 Jun 2015
Big Number part of OpenSSL 1.0.1o 12 Jun 2015
libdes part of OpenSSL 1.0.1o 12 Jun 2015
DES part of OpenSSL 1.0.1o 12 Jun 2015
Diffie-Hellman part of OpenSSL 1.0.1o 12 Jun 2015
DSA part of OpenSSL 1.0.1o 12 Jun 2015
EC part of OpenSSL 1.0.1o 12 Jun 2015
ECDH part of OpenSSL 1.0.1o 12 Jun 2015
ECDSA part of OpenSSL 1.0.1o 12 Jun 2015
EVP part of OpenSSL 1.0.1o 12 Jun 2015
lhash part of OpenSSL 1.0.1o 12 Jun 2015
MD4 part of OpenSSL 1.0.1o 12 Jun 2015
MD5 part of OpenSSL 1.0.1o 12 Jun 2015
PEM part of OpenSSL 1.0.1o 12 Jun 2015
RC2 part of OpenSSL 1.0.1o 12 Jun 2015
RIPE-MD160 part of OpenSSL 1.0.1o 12 Jun 2015
RSA part of OpenSSL 1.0.1o 12 Jun 2015
SHA1 part of OpenSSL 1.0.1o 12 Jun 2015
SHA-256 part of OpenSSL 1.0.1o 12 Jun 2015
SHA-512 part of OpenSSL 1.0.1o 12 Jun 2015
DlSHA part of OpenSSL 1.0.1o 12 Jun 2015
Stack part of OpenSSL 1.0.1o 12 Jun 2015
TXT_DB part of OpenSSL 1.0.1o 12 Jun 2015
X.509 part of OpenSSL 1.0.1o 12 Jun 2015
DTLSv1 part of OpenSSL 1.0.1o 12 Jun 2015
cU!
}AES part of OpenSSL 1.0.1o 12 Jun 2015
Blowfish part of OpenSSL 1.0.1o 12 Jun 2015
CONF part of OpenSSL 1.0.1o 12 Jun 2015
RAND part of OpenSSL 1.0.1o 12 Jun 2015
RC4 part of OpenSSL 1.0.1o 12 Jun 2015
ECONF_def part of OpenSSL 1.0.1o 12 Jun 2015
The second time that I ran it, it was with the current version of curl-android-ios
unzip -p ReelContent.16.07.23.3.apk | strings | grep "OpenSSL"
And got the following:
UI_OpenSSL
OpenSSLDie
DH_OpenSSL
DSA_OpenSSL
ECDH_OpenSSL
ECDSA_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
OpenSSL
could not load PEM client certificate, OpenSSL error %s, (no key found, wrong pass phrase, or wrong file format?)
could not load ASN1 client certificate, OpenSSL error %s, (no key found, wrong pass phrase, or wrong file format?)
could not parse PKCS12 file, check password, OpenSSL error %s
could not load PKCS12 client certificate, OpenSSL error %s
unable do create OpenSSL user-interface method
OpenSSL 1.0.1o 12 Jun 2015
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
OpenSSL RSA method
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default
SSLv2 part of OpenSSL 1.0.1o 12 Jun 2015
SSLv3 part of OpenSSL 1.0.1o 12 Jun 2015
TLSv1 part of OpenSSL 1.0.1o 12 Jun 2015
ASN.1 part of OpenSSL 1.0.1o 12 Jun 2015
Big Number part of OpenSSL 1.0.1o 12 Jun 2015
libdes part of OpenSSL 1.0.1o 12 Jun 2015
DES part of OpenSSL 1.0.1o 12 Jun 2015
Diffie-Hellman part of OpenSSL 1.0.1o 12 Jun 2015
DSA part of OpenSSL 1.0.1o 12 Jun 2015
EC part of OpenSSL 1.0.1o 12 Jun 2015
ECDH part of OpenSSL 1.0.1o 12 Jun 2015
ECDSA part of OpenSSL 1.0.1o 12 Jun 2015
EVP part of OpenSSL 1.0.1o 12 Jun 2015
lhash part of OpenSSL 1.0.1o 12 Jun 2015
MD4 part of OpenSSL 1.0.1o 12 Jun 2015
MD5 part of OpenSSL 1.0.1o 12 Jun 2015
PEM part of OpenSSL 1.0.1o 12 Jun 2015
RC2 part of OpenSSL 1.0.1o 12 Jun 2015
RIPE-MD160 part of OpenSSL 1.0.1o 12 Jun 2015
RSA part of OpenSSL 1.0.1o 12 Jun 2015
SHA1 part of OpenSSL 1.0.1o 12 Jun 2015
SHA-256 part of OpenSSL 1.0.1o 12 Jun 2015
SHA-512 part of OpenSSL 1.0.1o 12 Jun 2015
DlSHA part of OpenSSL 1.0.1o 12 Jun 2015
Stack part of OpenSSL 1.0.1o 12 Jun 2015
TXT_DB part of OpenSSL 1.0.1o 12 Jun 2015
X.509 part of OpenSSL 1.0.1o 12 Jun 2015
DTLSv1 part of OpenSSL 1.0.1o 12 Jun 2015
cU!
}AES part of OpenSSL 1.0.1o 12 Jun 2015
Blowfish part of OpenSSL 1.0.1o 12 Jun 2015
CONF part of OpenSSL 1.0.1o 12 Jun 2015
RAND part of OpenSSL 1.0.1o 12 Jun 2015
RC4 part of OpenSSL 1.0.1o 12 Jun 2015
ECONF_def part of OpenSSL 1.0.1o 12 Jun 2015
All of this was still in my terminal, because I'm currently working on it. But, as far as I can see, there is no difference in the versions of OpenSSL between them. So is there anything that I can do to upgrade my OpenSSL from 1.0.1o to 1.0.1s? Also, what would it take for you to go from version 1.0.1t to the next version (I'm guessing 1.0.1u or maybe its 1.0.2)?
After your 1.0.1t update:
OpenSSL 1.0.1t 3 May 2016
SSLv3 part of OpenSSL 1.0.1t 3 May 2016
TLSv1 part of OpenSSL 1.0.1t 3 May 2016
ASN.1 part of OpenSSL 1.0.1t 3 May 2016
Big Number part of OpenSSL 1.0.1t 3 May 2016
libdes part of OpenSSL 1.0.1t 3 May 2016
DES part of OpenSSL 1.0.1t 3 May 2016
Diffie-Hellman part of OpenSSL 1.0.1t 3 May 2016
DSA part of OpenSSL 1.0.1t 3 May 2016
^EC part of OpenSSL 1.0.1t 3 May 2016
ECDH part of OpenSSL 1.0.1t 3 May 2016
ECDSA part of OpenSSL 1.0.1t 3 May 2016
EVP part of OpenSSL 1.0.1t 3 May 2016
lhash part of OpenSSL 1.0.1t 3 May 2016
MD4 part of OpenSSL 1.0.1t 3 May 2016
MD5 part of OpenSSL 1.0.1t 3 May 2016
PEM part of OpenSSL 1.0.1t 3 May 2016
RC2 part of OpenSSL 1.0.1t 3 May 2016
RIPE-MD160 part of OpenSSL 1.0.1t 3 May 2016
RSA part of OpenSSL 1.0.1t 3 May 2016
SHA1 part of OpenSSL 1.0.1t 3 May 2016
SHA-256 part of OpenSSL 1.0.1t 3 May 2016
SHA-512 part of OpenSSL 1.0.1t 3 May 2016
DlSHA part of OpenSSL 1.0.1t 3 May 2016
Stack part of OpenSSL 1.0.1t 3 May 2016
TXT_DB part of OpenSSL 1.0.1t 3 May 2016
X.509 part of OpenSSL 1.0.1t 3 May 2016
DTLSv1 part of OpenSSL 1.0.1t 3 May 2016
cU!
}AES part of OpenSSL 1.0.1t 3 May 2016
Blowfish part of OpenSSL 1.0.1t 3 May 2016
CONF part of OpenSSL 1.0.1t 3 May 2016
RAND part of OpenSSL 1.0.1t 3 May 2016
RC4 part of OpenSSL 1.0.1t 3 May 2016
ECONF_def part of OpenSSL 1.0.1t 3 May 2016
I'm going to try to upload this apk to Google Play now, but I don't expect it to be accepted yet. Also, what would it take for you to go from version 1.0.1t to the next version (I'm guessing 1.0.1u or maybe its 1.0.2)?
I only ask because, although I don't have too much experience with programming in C/C++, I have taught the languages to others...so I may have enough experience to assist in speeding up the build process (if you need the help).
The ReelContent.16.07.23.3.apk has uploaded successfully to Google Play! Thank you for your time today!
Im glad the last update helped you 😄