Reputation: 31
GmsCore_OpenSSL can provoke app rejected from Google Play with all updated?
I guess more than one received one mail from Google Play with the Message :
"Hello Google Play Developer,
We wanted to let you know that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users. Please migrate your app(s) to an updated version of OpenSSL by 7/7/15. Starting on this date, Google Play will block publishing of any new apps and updates that use unsupported versions of OpenSSL.
REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement. The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via:
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
For more information about the vulnerability, please see this OpenSSL Security Advisory. To confirm you’ve upgraded correctly, submit the updated version of the app(s) to the Developer Console and check back after five hours. Starting on 7/7/15, we will not accept app updates containing the vulnerabilities. Any new apps containing the vulnerabilities will be rejected."
So i read many posts about this , like Post 1 , Post 2 and others. and i must say that in my first version of app i don't use any library, all from Android ( I use webview ) and when i use "unzip -p YourApp.apk | strings | grep "OpenSSL"" in my first app i dont have any OpenSSL.
Does this mean that i have received the mail because maybe i signed apk with a old OpenSSL ? ( I use Windows , Android Studio. ) If so , should i make a signed apk manually with the last version of OpenSSL ?
Or does my apk must have OpenSSL required ?
In my present version i use library like : app-compact:22.2.0 ( from android,latest version ) , gms:7.5.0 ( from android, latest version ) and volley ( 1.0.16 ) and when i use "unzip -p YourApp.apk | strings | grep "OpenSSL"" gives me like result GmsCore_OpenSSL . I guess GmsCore_OpenSSL is from the library of gms so is native from Android .
- Does this mean he has the latest OpenSSL ?
- Do I need to initialize this in some place ?
Thank you advanced,
Upvotes: 1
Views: 3357
Answers (1)
Reputation: 39451
The tool you use to sign the APK doesn't matter. If you already searched every file in the APK and couldn't find any uses of old OpenSSL, the next step is to check all the files that your APK uses indirectly.
There was one case of an App that downloaded Busybox, and Busybox contained curl, which contained an old version of OpenSSL, which caused it to get flagged.
So if you are downloading any native code libraries, run strings | grep "OpenSSL" and make sure they are up to date too.
Upvotes: 1
Related Questions
- APK signed with a certificate that is not yet valid
- android Google Play Warning: SSL Error Handler Vulnerability
- Google Play app rejected - SSL Error Handler
- Failed to Upload an app on Google Play, certificate not valid
- App rejected by Google Play
- Google Play and OpenSSL warning message
- Google Play Security Alert and OpenSSL version 1.0.1j after all possible updates
- Google Play and OpenSSL vulnerability warning
- Android X509TrustManager app rejected google play
- Google Mandatory update to latest OpenSSL