How to address OpenSSL vulnerabilities in your apps

This information is intended for developers of apps statically linking against a version of OpenSSL that precedes 1.0.2f/1.0.1r.  These versions contain security vulnerabilities.  

Please migrate your app(s) to OpenSSL 1.0.2f/1.0.1r or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL. Your published app version will remain unaffected, however any updates to the app will be blocked unless they address this vulnerability.

Next steps:

  1. Migrate your app to OpenSSL 1.0.2f/1.0.1r or higher and increment the version number.
  2. Sign in to your Developer Console and submit the updated version of your app.
  3. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly. 

The vulnerabilities were addressed in OpenSSL 1.0.2f/1.0.1r. The latest versions OpenSSL can be downloaded here. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep "OpenSSL").

If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.0.2f/1.0.1r or higher.

The vulnerabilities include "logjam" and CVE-2015-3194. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. Details about other vulnerabilities are available here. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “OpenSSL.”

While these issues may not affect every app that uses OpenSSL versions prior to 1.0.2f/1.0.1r, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.

Before publishing apps, please ensure they are compliant with the Developer Distribution Agreement and Content Policy. If you feel we have sent you an OpenSSL warning in error, contact our support team through the Google Play Developer Help Center.

Was this article helpful?
How can we improve it?