android - Google Play and OpenSSL warning message

Question

I just received an email from Google play stating:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,

Google Play Team

?2014 Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

I have not explicitely included OpenSSL in any of my apps. The apps which use the Android NDK are using NDK 9d (the latest). The only external native libraries I do use are ffmpeg and OpenCV and some advertising libraries which do not have native code included.

Where else could OpenSSL be included causing this warning?

Regards,

Answer 1

I wrote a bash script which will display the OpenSSL versions of anything statically linked in your app and whether TLS heartbeat methods are included.

This worked on a handful of APKs I threw at it. The OpenSSL version string is being specifically extracted with a version number and date. If Google flags the APK and this can't find it, relax the OpenSSL regex in the egrep command to just "OpenSSL" and see where that gets you.

Put the following in a file e.g. testopenssl.sh

usage: ./testopenssl.sh APK_File

#!/bin/bash
sslworkdir="ssl_work_dir"
if [ ! -d $sslworkdir ]; then
  mkdir $sslworkdir
fi
unzip -q "$1" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'
'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSLsd+.d+.d+w+sd+sw+sd+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
    echo "Found OpenSSL versions"
    printf "%s
" "${opensslarr[@]}"
    heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
    #Stackoverflow syntax highlight fix closing 'block comment' */
    if [ ${#heartbeatarr[@]} -gt 0 ]; then
        echo "Files that contains heartbeat methods:"
    printf "%s
" "${heartbeatarr[@]}"
    else
        echo "No libraries contain heartbeat methods"
    fi
else
    echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir