Google Play Security Alert and OpenSSL version 1.0.1j after all possible updates

Question

I received the Security Alert from Google Play regarding OpenSSL vulnerability. I do not use OpenSSL directly but one of the libraries that I am using could be.

I have updated everything including JDK, SDK, gradle, all possible libraries but still the OpenSSL version shows 1.0.1j for my app. I tried all the solutions mentioned in Stack Overflow, other websites and blogs but nothing changed. Given below are few links that I already referred:

• Google Play and OpenSSL warning message
• OpenSSL Security Alert Mail from Google Play for android apps
• Update Android app to latest version of OpenSSL
• Security Alert: You are using a highly vulnerable version of OpenSSL (Google Groups)

This is not a duplicate question because no answers of other questions could help me. Please help.

---

This is my app's build.gradle file:

buildscript {
    repositories {
        maven { url 'https://maven.fabric.io/public' }
    }

    dependencies {
        classpath 'io.fabric.tools:gradle:1.21.6'
    }
}
apply plugin: 'com.android.application'
apply plugin: 'io.fabric'

repositories {
    mavenCentral()
    maven { url 'https://maven.fabric.io/public' }
    jcenter()
    maven { url 'http://maven.localytics.com/public' }
    maven() {
        url "https://oss.sonatype.org/content/repositories/snapshots"
    }
}

android {
    compileSdkVersion 24
    buildToolsVersion "24.0.0"

    lintOptions {
        disable 'InvalidPackage'
        abortOnError false
    }

    packagingOptions {
        exclude 'META-INF/services/javax.annotation.processing.Processor'
    }
    defaultConfig {
        applicationId "co.myandroid.app"
        minSdkVersion 14
        targetSdkVersion 24
        versionCode 29
        versionName "1.0.0.19"
    }

    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.txt'
        }
    }
}

dependencies {
    compile('com.crashlytics.sdk.android:crashlytics:2.6.0@aar') {
        transitive = true;
    }
    compile('com.github.worker8:tourguide:1.0.17-SNAPSHOT@aar') {
        transitive = true
    }
    compile project(':cropper')
    compile 'com.android.support:support-v4:24.0.0'
    compile 'com.parse.bolts:bolts-android:1.4.0'
    compile 'com.parse:parse-android:1.13.0'
    compile 'com.android.support:appcompat-v7:24.0.0'
    compile 'com.android.support:cardview-v7:24.0.0'
    compile 'com.android.support:design:24.0.0'
    compile 'com.squareup:android-times-square:1.6.5@aar'
    compile 'com.google.android.gms:play-services-analytics:9.2.0'
    compile 'com.google.android.gms:play-services-gcm:9.2.0'
    compile 'com.google.android.gms:play-services-ads:9.2.0'
    compile 'com.localytics.android:library:4.0.1'
    compile 'org.jbundle.util.osgi.wrapped:org.jbundle.util.osgi.wrapped.org.apache.http.client:4.1.2'
}

Answer 1

First you need to make sure where does that library come from. AFAIK you can't check this in Settings -> Project dependencies, at least not in the stable version.

But you can go to your Android Studio Terminal tab, make sure you are in the root of the project, and type this:

• Windows version: gradlew app:dependencies

• Mac/Linux version: ./gradlew app:dependencies

That will print a nice dependencies tree and hopefully you can find openssl there.

IMPORTANT: These commands will only work if you are using the gradle wrapper. If you are on Mac or Linux, you might need to chmod 755 first to make it executable. If not using the gradle wrapper, then I guess you might be able to do the same just changing to your gradle directory (if not in the global path) and replacing gradlew for gradle in the above posted commands.