Android Internet Library OpenSSL version problem

[Todd Fabacher]

Here is the email


Hello Google Play Developer,

Your app(s) listed at the end of this email utilize a version of OpenSSL
that contains one or more security vulnerabilities. If you have more than
20 affected apps in your account, please check the Developer Console
<https://www.google.com/appserve/mkt/p/fjei2Ep_bOBlYuDc6w9bmNJq7yf2tJoxDhZCISvC3oPBU402G0KdpugkDbaYNCNfFe5Krmc=>
for
a full list.

*Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as
possible and increment the version number of the upgraded APK.* Beginning
July 11, 2016, Google Play will block publishing of any new apps or updates
that use older versions of OpenSSL. If you’re using a 3rd party library
that bundles OpenSSL, you’ll need to upgrade it to a version that bundles
OpenSSL 1.02f/1.01r or higher.

The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. The latest
versions of OpenSSL can be downloaded here
<https://www.google.com/appserve/mkt/p/cYEKsNY1EXxMUibx1g5wXFqEUJug2qxAljz5dcjw0FdtOCzzVgES3UnVMg3NZzg=>.
To confirm your OpenSSL version, you can do a grep search for ($ unzip -p
YourApp.apk | strings | grep "OpenSSL").

To confirm you’ve upgraded correctly, submit the updated version to the
Developer Console and check back after five hours. If the app hasn’t been
correctly upgraded, we will display a warning.

The vulnerabilities include "logjam
<https://www.google.com/appserve/mkt/p/wwzjM8dOQQABsjZHsmizCbtZBSy8QLOCS_zC_JwDzZFu8t3E>"
and CVE-2015-3194
<http://www.google.com/appserve/mkt/p/5Fet4eNQpubmLcdcsDLDxQVC3cpQIobX-ZpnUbOEzQ-ef8eBEX8b3UwbW-2vkf0uOl4MxDC_ybcHvx-9tuf2bvBKMB1VVG-jISB4iU8SW3IZDl956lVV1NcKOGImM_eDDfVPYU7DHSCeP6NAKczWI21Zwhb26nmp1L7at28gjcE=>.
The Logjam attack allows a man-in-the-middle attacker to downgrade
vulnerable TLS connections to 512-bit export-grade cryptography. This
allows the attacker to read and modify any data passed over the connection.
Details about other vulnerabilities are available here
<https://www.google.com/appserve/mkt/p/SaM0ZeGJS3KDm1_UVkqSocD06axb2Pnx2R11VGhz5ztJQm6xXXC69LkUGxikh7zJ2dtHtGx5iOgP9RIJjcHKsfY=>.
For other technical questions, you can post to Stack Overflow
<https://www.google.com/appserve/mkt/p/eMKFo3KVNtsXJIz_0hnZoToX-cCMUIa3k-i9378x7adhWusHjYDL83SZltgBexcJz0z-o_wtJh0=>
and
use the tags “android-security” and “OpenSSL.”

While these specific issues may not affect every app that uses OpenSSL,
it’s best to stay up to date on all security patches. Apps with
vulnerabilities that expose users to risk of compromise may be considered
in violation of our Malicious Behavior policy
<https://www.google.com/appserve/mkt/p/8Ke0G-Rjrwg2kyNAeVDUbN-PtGFFtm0XwcheZ2wPcRjpI-4yIcgkVmqu_o7W8H3w320ruNzsFnZ5FixHl7DH5uUdtapHi5ZFg_iDtWKQrzqSmvgWhgQEjBeOQQ==>
and
section 4.4
<https://www.google.com/appserve/mkt/p/J66OFIBf3DgWBKNfQlTjy5x6M2_SVA1zJopao2l5WkqBG5pKvFHNIi1_lvTYpP-Fk6QzgzQ4loBrQyIR6D6zfqLPoFqA4KPgLNnhOoCZz1DZ9c9vfHwvA3JYPTs6DRE=>
of
the Developer Distribution Agreement.