This information is intended for developers of apps statically linking against a version of OpenSSL that precedes 1.0.1h, 1.0.0m, and 0.9.8za. These apps contain security vulnerabilities that violate the Dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement.
Please migrate your app(s) to an updated version of OpenSSL as soon as possible and increment the version number of the upgraded APK. Apps and app updates containing the vulnerabilities will not be accepted by Google Play. If you are using a 3rd party library that includes OpenSSL, please notify the 3rd party and work with them to address the issue.
What’s happening
Please refer to the notice on your Play Console. After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
Action required
- Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
- Update your affected apps and fix the vulnerability.
- Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Additional details
The cve-2014-0224 vulnerability can enable attackers to launch a Man-in-the-middle (MITM) attack that decrypts and modifies traffic from the attacked client and server. The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep "OpenSSL").
For more information about the vulnerability, please see this OpenSSL Security Advisory. OpenSSL can be downloaded from https://www.openssl.org/source. For other technical questions, please post to https://www.stackoverflow.com/questions and use the tags “android-security” and “openssl.”
Note: while these issues may not affect every app that uses OpenSSL versions prior to 1.0.1h, 1.0.0m, or 0.9.8za, it's best to stay up to date on all security patches. Please take this time to update apps that have out-of-date dependent libraries or other vulnerabilities.
Before publishing apps, please ensure they are compliant with the Developer Distribution Agreement and Content Policy.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.