Hi, 
Guest
Pic
Sign In

pjsip@lists.pjsip.org

pjsip list

View all threads

Android OpenSSL vulnerability issue

MM
Monica Memane
Mon, Nov 21, 2016 1:11 PM

Hi,

I am using CSipSimple code for my Android application. But got rejected
for violation of Google Play policies.  As described it is using a
version of OpenSSL containing a security vulnerability.
/"Your app is using a version of OpenSSL containing a security
vulnerability//
///

As per the Google support team -

/"Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon
as possible and increment the version number of the upgraded APK.
Beginning July 11, 2016, Google Play will block publishing of any new
apps or updates that use older versions of OpenSSL. Your published app
version will remain unaffected, however any updates to the app will be
blocked unless they address this vulnerability."/
https://support.google.com/faqs/answer/637672

The OpenSSL version for apk found using following command ($ unzip -p
YourApp.apk | strings | grep "OpenSSL") is-

  • OpenSSL 1.0.1h 5 Jun 2014*

Also to mention we are using Https protocol in the app.

Is there a way in which we can upgrade the OpenSSL version of the app?

Please let me know pointers if any.

Thanks & Regards,
Monica Memane

Hi, I am using CSipSimple code for my Android application. But got rejected for violation of Google Play policies. As described it is using a version of OpenSSL containing a security vulnerability. /"Your app is using a version of OpenSSL containing a security vulnerability// /// As per the Google support team - /"Please migrate your app(s) to *OpenSSL 1.02f/1.01r or higher* as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL. Your published app version will remain unaffected, however any updates to the app will be blocked unless they address this vulnerability."/ https://support.google.com/faqs/answer/637672 The OpenSSL version for apk found using following command ($ unzip -p YourApp.apk | strings | grep "OpenSSL") is- * OpenSSL 1.0.1h 5 Jun 2014* Also to mention we are using Https protocol in the app. Is there a way in which we can upgrade the OpenSSL version of the app? Please let me know pointers if any. Thanks & Regards, Monica Memane
JL
JOHAN LANTZ
Mon, Nov 21, 2016 1:18 PM

If you are using the openssl library bundled with the device, then you must provide your own. Just build it add add the dependency in your Android.mk so it gets bundled inside your apk. Then it will be loaded from there instead of from the system folder.

  • If you are already building openssl yourself, just rebuild the new version and provide that one instead.

/Johan

* If you are using the openssl library bundled with the device, then you must provide your own. Just build it add add the dependency in your Android.mk so it gets bundled inside your apk. Then it will be loaded from there instead of from the system folder. * If you are already building openssl yourself, just rebuild the new version and provide that one instead. /Johan
Empathy v1.0   2025 ©emwd.com
Documentation