Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please migrate your app(s) to OpenSSL 1.0.2f/1.0.1r or higher as soon as possible and increment the version number of the upgraded APK. #17

Open
sharryshah12 opened this issue May 7, 2018 · 0 comments
Open

Please migrate your app(s) to OpenSSL 1.0.2f/1.0.1r or higher as soon as possible and increment the version number of the upgraded APK. #17

sharryshah12 opened this issue May 7, 2018 · 0 comments

Comments

@sharryshah12
Copy link

How to address OpenSSL vulnerabilities in your apps
This information is intended for developers of apps statically linking against a version of OpenSSL that precedes 1.0.2f/1.0.1r. These versions contain security vulnerabilities.

Please migrate your app(s) to OpenSSL 1.0.2f/1.0.1r or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL. Your published app version will remain unaffected, however any updates to the app will be blocked unless they address this vulnerability.

Next steps:

Migrate your app to OpenSSL 1.0.2f/1.0.1r or higher and increment the version number.
Sign in to your Developer Console and submit the updated version of your app.
Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.
The vulnerabilities were addressed in OpenSSL 1.0.2f/1.0.1r. The latest versions OpenSSL can be downloaded here. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep "OpenSSL").

If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.0.2f/1.0.1r or higher.

The vulnerabilities include "logjam" and CVE-2015-3194. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. Details about other vulnerabilities are available here. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “OpenSSL.”

While these issues may not affect every app that uses OpenSSL versions prior to 1.0.2f/1.0.1r, it's best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.

Before publishing apps, please ensure they are compliant with the Developer Distribution Agreement and Content Policy. If you feel we have sent you an OpenSSL warning in error, contact our support team through the Google Play Developer Help Center.

any solution please
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sharryshah12