How to fix apps with the GnuTLS vulnerability

This information is intended for developers who received a message because they have app(s) utilizing a version of GnuTLS (a communications library implementing SSL, TLS, and DTLS protocols) containing a security vulnerability. These apps violate the Dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement.  

Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.  Apps and app updates containing the GnuTLS vulnerability will not be accepted by Google Play. If you are using a 3rd party library that includes GnuTLS, please notify the 3rd party and work with them to address the issue.

The vulnerability was addressed in GnuTLS 3.1.25, GnuTLS 3.2.15, and GnuTLS 3.3.4. The latest versions of GnuTLS can be downloaded from the GnuTLS website.  For help upgrading, see the GnuTLS support documentation.

Due to a flaw in the way your version of GnuTLS parses session IDs, an attacker could potentially trigger a buffer overflow and remotely control your app.  For more information about the vulnerability, please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466. For other technical questions, please post to Stack Overflow and use the tags “android-security” and “GnuTLS.”

To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display an alert.   

Note: while these issues may not affect every app that uses GnuTLS versions prior to 3.1.25, 3.2.15, and 3.3.4, it’s best to stay up to date on all security patches. Please take this time to update apps that have out-of-date dependent libraries or other vulnerabilities.

Before publishing apps, please ensure they are compliant with the Developer Distribution Agreement and Content Policy. If you feel we have sent you a GnuTLS warning in error, contact our support team through the Google Play Developer Help Center.