Google Play and OpenSSL warning message

Question

I just received an email from Google play stating:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,

Google Play Team

©2014 Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

I have not explicitely included OpenSSL in any of my apps. The apps which use the Android NDK are using NDK 9d (the latest). The only external native libraries I do use are ffmpeg and OpenCV and some advertising libraries which do not have native code included.

Where else could OpenSSL be included causing this warning?

Regards,

Answer 1

I wrote a bash script which will display the OpenSSL versions of anything statically linked in your app and whether TLS heartbeat methods are included.

This worked on a handful of APKs I threw at it. The OpenSSL version string is being specifically extracted with a version number and date. If Google flags the APK and this can't find it, relax the OpenSSL regex in the egrep command to just "OpenSSL" and see where that gets you.

Put the following in a file e.g. testopenssl.sh

usage: ./testopenssl.sh APK_File

#!/bin/bash
sslworkdir="ssl_work_dir"
if [ ! -d $sslworkdir ]; then
  mkdir $sslworkdir
fi
unzip -q "$1" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'\r\n'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSL\s\d+\.\d+\.\d+\w+\s\d+\s\w+\s\d+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
    echo "Found OpenSSL versions"
    printf "%s\n" "${opensslarr[@]}"
    heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
    #Stackoverflow syntax highlight fix closing 'block comment' */
    if [ ${#heartbeatarr[@]} -gt 0 ]; then
        echo "Files that contains heartbeat methods:"
    printf "%s\n" "${heartbeatarr[@]}"
    else
        echo "No libraries contain heartbeat methods"
    fi
else
    echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir

Answer 2

According to Eric Davis on the Android Security Discussions mailing list in response to Security Alert: You are using a highly vulnerable version of OpenSSL:

1. You can determine which apps are using OpenSSL via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL"")
2. Please update all statically linked versions of OpenSSL to 1.0.1h, 1.0.0m, or 0.9.8za. (Note by jww: this version will change over time as new versions of OpenSSL are released).
3. If you are using a 3rd party library that bundles OpenSSL, please notify the 3rd party and work with them to address this.

When you get this message, you should update both the NDK and IDE you are using. I've seen reports of some versions of the NDK including a downlevel header. I also suspect the IDE you are using could be providing a downlevel OpenSSL version (I don't use the IDEs on Android, so I have not encountered it).

If you are not directly using OpenSSL, then the SDKs are providing the vulnerable version of OpenSSL. In this case, you should update your SDKs. If you need to locate the downlevel OpenSSL among SDKs, then see How to check which dependancy causes OpenSSL vulnerability.

Google also provides Updating Your Security Provider to Protect Against SSL Exploits, but I suspect it will still trigger the message because it appears to be a basic string search.

Its often easier to update everything rather than trying to figure out who is providing the down level version of OpenSSL. After you spend the time to determine who is providing it, your actionable item is the same: update the SDK. So why waste time on it; just update all of them and enjoy the other bug fixes, too.

---

There are still open questions, though: if one uses the cryptography from libcrypto (for example (RAND_bytes or EVP_encrypt) and not the SSL/TLS functions from libssl (for example, SSL_connect), will it still trigger the warning? That is, is Google scanning for use of vulnerable functions, or is Google scanning for OpenSSL version via strings.

Answer 3

I also have this problem because the version of Facebook's SDK I am using is not updated. So if you are using it too, just try to use the updated version of Facebook's SDK v3.21.1, and that warning is solved.

Answer 4

If you are using cocos2dx then you need to update curl library. Please download updated curl library from here http://cocostudio.download.appget.cn/Cocos2D-X/curl.zip

and replace it with current curl library present in cocos2dx.

For safe side please update your mac openssl version also, for this follow this link http://javigon.com/2014/04/09/update-openssl-in-osx/