Skip to content
This repository has been archived by the owner on Mar 3, 2020. It is now read-only.

OpenSSL lower 1.02f/1.01r is vulnerable and not recommended by Google #129

Closed
hohnamkung opened this issue Apr 1, 2016 · 6 comments
Closed

OpenSSL lower 1.02f/1.01r is vulnerable and not recommended by Google #129

hohnamkung opened this issue Apr 1, 2016 · 6 comments

Comments

@hohnamkung
Copy link

I've got a email from Google Play about Openssl vulnerability.

Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL. If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher.

According to release tag, the latest version of conceal is using openssl 1.0.2e.

Could you update it to OpenSSL 1.02f/1.01r or higher?
@flopex flopex mentioned this issue Apr 3, 2016
Merged
@helios175
Copy link
Contributor

Thanks for the heads up. We will definitely update the libraries much before the deadline.

@helios175
Copy link
Contributor

We merged #130 and added one more commit, so now we are using OpenSSL1.0.2g.
We will issue version 1.0.6 later today.

Thanks again!

@56075
Copy link

56075 commented Sep 13, 2016

Hello Everyone,I got the following mail from google developer console account-

Hello Google Play Developer,
We rejected "App name", with package name com.appname, for violating our Malicious Behavior or User Data policy. If you submitted an update, the previous version of your app is still available on Google Play.
This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.
Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.

Vulnerability APK Version(s)
OpenSSL The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. To confirm your OpenSSL version, you can do a grep search for:
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
You can find more information and next steps in this Google Help Center article.

Actually i am using C sip simple library for VoIP calling , and in that i am using pjsplib.so files , in that library open ssl is used in project.Can anyone help me please what should i do, because my app is live on play store and it is rejecting again and again because of this issue.Please help me.

Thanks .

@helios175
Copy link
Contributor

To the developer having troubles with psjplib.so. I would use all the ways
to encourage psjplib developers to update to the proper OpenSSL.

Said that:

A) if that library uses openssl as a separate .so you could replace it for
the right version. If you use same version as conceal (1.0.2) you could
download conceal code, run the make file in native/third-party/openssl
directory and generate the binaries needed for each platform. It's 1.0.2g
so it'll be fine.

B) if that library uses openssl and generates a single .so (which is what
it seems to happen) only way is compiling it again with the proper code. I
cannot help with that as it's building that library. But it should involve
just replacing the openssl code (1.0.2 or 1.0.1 depending on what it uses)
and recompiling...

Good luck!

On Mon, Sep 12, 2016 at 11:18 PM, shree notifications@github.com wrote:

Hello Everyone,I got the following mail from google developer console
account-

Hello Google Play Developer,
We rejected "App name", with package name com.appname, for violating our
Malicious Behavior or User Data policy. If you submitted an update, the
previous version of your app is still available on Google Play.
This app uses software that contains security vulnerabilities for users or
allows the collection of user data without proper disclosure.
Below is the list of issues and the corresponding APK versions that were
detected in your recent submission. Please upgrade your app(s) as soon as
possible and increment the version number of the upgraded APK.

Vulnerability APK Version(s)
OpenSSL The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. To
confirm your OpenSSL version, you can do a grep search for:
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
You can find more information and next steps in this Google Help Center
article.

Actually i am using C sip simple library for VoIP calling , and in that i
am using pjsplib.so files , in that library open ssl is used in project.Can
anyone help me please what should i do, because my app is live on play
store and it is rejecting again and again because of this issue.Please help
me.

Thanks .


You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
#129 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABQppkjfrpxXhorIqWjlnSEVDtOhzSxgks5qpkA5gaJpZM4H9W6Q
.

@56075
Copy link

56075 commented Sep 16, 2016

Hello,

Thanks for replying , i will check this.

On Thu, Sep 15, 2016 at 9:54 PM, Helios notifications@github.com wrote:

To the developer having troubles with psjplib.so. I would use all the ways
to encourage psjplib developers to update to the proper OpenSSL.

Said that:

A) if that library uses openssl as a separate .so you could replace it for
the right version. If you use same version as conceal (1.0.2) you could
download conceal code, run the make file in native/third-party/openssl
directory and generate the binaries needed for each platform. It's 1.0.2g
so it'll be fine.

B) if that library uses openssl and generates a single .so (which is what
it seems to happen) only way is compiling it again with the proper code. I
cannot help with that as it's building that library. But it should involve
just replacing the openssl code (1.0.2 or 1.0.1 depending on what it uses)
and recompiling...

Good luck!

On Mon, Sep 12, 2016 at 11:18 PM, shree notifications@github.com wrote:

Hello Everyone,I got the following mail from google developer console
account-

Hello Google Play Developer,
We rejected "App name", with package name com.appname, for violating our
Malicious Behavior or User Data policy. If you submitted an update, the
previous version of your app is still available on Google Play.
This app uses software that contains security vulnerabilities for users
or
allows the collection of user data without proper disclosure.
Below is the list of issues and the corresponding APK versions that were
detected in your recent submission. Please upgrade your app(s) as soon as
possible and increment the version number of the upgraded APK.

Vulnerability APK Version(s)
OpenSSL The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. To
confirm your OpenSSL version, you can do a grep search for:
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
You can find more information and next steps in this Google Help Center
article.

Actually i am using C sip simple library for VoIP calling , and in that i
am using pjsplib.so files , in that library open ssl is used in
project.Can
anyone help me please what should i do, because my app is live on play
store and it is rejecting again and again because of this issue.Please
help
me.

Thanks .


You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
#129 (comment),
or mute the thread
<https://github.com/notifications/unsubscribe-auth/
ABQppkjfrpxXhorIqWjlnSEVDtOhzSxgks5qpkA5gaJpZM4H9W6Q>
.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#129 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AGqZk4N3cHE_HJY3Z7FL43yuVejBHT03ks5qqXFOgaJpZM4H9W6Q
.

Thanks and Regards
Rajshree Tiwari
Subject Matter Expert - IT (Android)
Advantal Technologies pvt ltd.

Website : http://www.advantal.net/
Facebook: www.facebook.com/advantal

CONFIDENTIALITY NOTICE: This email and attachments are private,
confidential and may contain legally privileged & protected information
from "Advantal Technologies Private Limited" intended solely for the use of
the designated and/or duly authorized recipient(s). If you are not the
intended recipient or have received this email in error, please notify the
sender immediately by email and permanently delete all copies of this email
including all attachments without reading them. If you are the intended
recipient, secure the contents in a manner that conforms to all applicable
legal & official requirements related to privacy and confidentiality of
such information.

@KaluKhan
Copy link

I had this issue, I resolved issue by below steps:
First, I use Android Studio. So, if you're using Eclipse, try to find your own way.

The cause of the issue is the libavformat.so file which is using OpenSSL 1.0.2d. We need to update it. But, just updating libavformat.so will cause crashing, so we need to update all relating lib (javacv and javacpp).

  • Download javacv-1.2-bin.zip and javacpp-1.2.3-bin.zip from https://github.com/bytedeco/javacv and https://github.com/bytedeco/javacpp
  • Extract them and copy ffmpeg.jar, javacpp.jar, javacv.jar and opencv.jar to [touchToRecord]\libs.
  • Extract ffmpeg-android-arm.jar and opencv-android-arm.jar (find them after extracting javacv-1.2-bin.zip), you will collect new version of .so files.
  • Replace the old files in [touchToRecord]\src\main\jniLibs\armeabi-v7a with new version (just almost .so files will be replaced, not all of them)
  • Sometimes, you need to copy javacpp-presets-1.2.pom file to [touchToRecord]\libs, too. You can search it on Google.
  • Modify the build.gradle of touchToRecord module
apply plugin: 'com.android.library'

android {
    compileSdkVersion 23
    buildToolsVersion "23.0.3"

    defaultConfig {
        minSdkVersion 14
        targetSdkVersion 23
    }

    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'

        }
    }

    packagingOptions {
        exclude 'META-INF/services/javax.annotation.processing.Processor'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.properties'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.xml'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.properties'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.xml'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.xml'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/1.2/javacpp-presets-1.2.pom.xml'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/org.bytedeco.javacpp-presets-1.2.pom.xml'
    }
}

configurations {
    all*.exclude group: 'org.bytedeco', module: 'javacpp-presets'
}

repositories {
    mavenCentral()
}

dependencies {
    compile 'com.android.support:support-v4:23.2.1'
    compile files('libs/opencv.jar') //1.2
    compile files('libs/javacv.jar') //1.2
    compile files('libs/javacpp.jar') //1.2.3
    compile files('libs/ffmpeg.jar') //1.2
}
  • Clean project and rebuild.

Reference - sourab-sharma/TouchToRecord#23

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@helios175 @hohnamkung @56075 @KaluKhan