How to address OpenSSL vulnerabilities in your apps
This information is intended for developers of apps statically linking against a version of OpenSSL that precedes 1.0.2f/1.0.1r. These versions contain security vulnerabilities. Please migrate your app(s) to OpenSSL 1.0.2f/1.0.1r or higher as soon as possible and increment the version number of the upgraded APK.
Beginning July 11, 2016, Google Play started to block the publishing of any new apps or updates that use older versions of OpenSSL. Please refer to the notice on your Play Console. After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
- Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
- Migrate your app to OpenSSL 1.0.2f/1.0.1r or higher and increment the version number.
- Submit the updated versions of your affected apps.
The vulnerabilities were addressed in OpenSSL 1.0.2f/1.0.1r. The latest versions OpenSSL can be downloaded here. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep "OpenSSL").
If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.0.2f/1.0.1r or higher.
The vulnerabilities include "logjam" and CVE-2015-3194. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. Details about other vulnerabilities are available here. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “OpenSSL.”
While these issues may not affect every app that uses OpenSSL versions prior to 1.0.2f/1.0.1r, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.