Remediation for Bad OpenSSL Versions

This information is intended for developers with app(s) that utilize a defective version of OpenSSL library directly or indirectly. 

What’s happening

One or more of your apps contain a defective version of OpenSSL library, which can cause your app to crash, thus harming its usability. Even if your app doesn’t depend on the OpenSSL artifact directly, one of the 3rd-party libraries/SDKs in your app’s dependencies may do so.

Fixing this issue is highly recommended but not mandatory. The publication status of your app will be unaffected by the presence of this issue.

Additional details

The ARMv8.3 PAC functionality enables hardware-assisted control flow integrity (CFI) by authenticating pointers (specifically, the return addresses) at runtime. Older versions of OpenSSL use this functionality incorrectly, causing crashes at runtime. This issue was resolved in OpenSSL 1.1.1i. Versions between 1.1.1b and 1.1.1h are affected.

Next Steps 

1. Update your app and fix the "Bad OpenSSL Versions" alert using the steps highlighted below.

• If your app depends on OpenSSL directly, 
  • Migrate your app to OpenSSL 1.1.1i or higher.
  • For example, if you implemented 'com.android.ndk.thirdparty:openssl:1.1.1g-alpha-1' in your gradle settings, update it to “1.1.1l-beta-1” or newer.
  • Alternatively, use Java methods, like HttpsURLConnection, for interacting with cryptography instead of native interfaces. 
  • Note: Updating your security provider won’t solve this problem.
• If your app depends on OpenSSL indirectly through the following SDKs or any other ones that provide communication via HTTPS/SSL (TLS), please contact the SDK providers to download the patch and apply to your project:
  • Agora RTM SDK
  • Alibaba’s short video SDK
  • Amazon Chime SDK or AWS C++ SDK Core
  • Cocos2d-x
  • jLibtorrent
  • Microsoft Cognitive Service Speech
  • MongoDB Realm SDK
  • Note: Above is not an exhaustive list of affected SDKs.

2. Submit your updated APK

To submit an updated app bundle or APK:

1. Go to your Play Console.
2. Select the app.
3. Go to the App bundle explorer.
4. Select the non-compliant APK/app bundle's App version at the top right dropdown menu, and make a note of which releases they are under.
5. Go to the track with the policy issue. It will be one of these 4 pages: Internal / Closed / Open testing or Production.
6. Near the top right of the page, click Create new release. (You may need to click Manage track first.)
7. If the release with the non-compliant APK is in a draft state, discard the release.
8. Add the policy compliant version of app bundles or APKs.
9. Make sure the non-compliant version of app bundles or APKs is under the Not included section of this release. For further guidance, please see the "Not included (app bundles and APKs)" section in this Play Console Help article.
10. To save any changes you make to your release, select Save.
11. When you've finished preparing your release, select Review release.
12. If the non-compliant APK is released to multiple tracks, repeat steps 5-9 in each track.

During this time your new app or app update will be in a in review status until your request is reviewed. If the app has not been updated correctly, you will still see the warning.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-stability.” For clarification on steps you need to take to resolve this issue, you can contact our support team.