Google Play vulnerability warning for OpenSSL 1.0.2k

Question

When I submit new APK to Google Play, my APK is rejected with message:

This app uses software that contains security vulnerabilities for users or allows the collection of user data without proper disclosure.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.

OpenSSL

The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. To confirm your OpenSSL version, you can do a grep search for:
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
You can find more information and next steps in this How to address OpenSSL vulnerabilities in your apps.

I checked my APK, and it using 1.0.2k version of OpenSSL

What should I do now?

Also see [Google Play and OpenSSL warning message](http://stackoverflow.com/q/24197777), [Android Google Play old OpenSSL warning](http://stackoverflow.com/q/36397094/608639), [Google Play warning and “unsafe implementation of X509TrustManager”](http://stackoverflow.com/q/35604684/608639), [How to grep or search .jar files for OpenSSL?](http://stackoverflow.com/q/36213149) and [How to determine which dependency causes Google Play OpenSSL warning?](http://stackoverflow.com/q/38187257) — jww, Aug 13 '17 at 01:40
[OpenSSL `1.0.2l` is the latest](https://www.openssl.org/source/) version available. Update your app to OpenSSL 1.0.2l. — jww, Aug 13 '17 at 01:46

score 3 · Answer 1 · answered Aug 12 '17 at 13:18

Either you used OpenSSL directly yourself, or you are using some third-party library that is using OpenSSL.

If you used OpenSSL directly yourself, get a newer version.

If you are using some third-party library that is using OpenSSL, identify the library, then upgrade to the latest version of that library. If the library still uses the older OpenSSL, stop using that library.

Google Play vulnerability warning for OpenSSL 1.0.2k

1 Answers1