Google Play and OpenSSL warning message

Question

I just received an email from Google play stating:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has

Answer 1

According to Eric Davis on the Android Security Discussions mailing list in response to Security Alert: You are using a highly vulnerable version of OpenSSL:

1. You can determine which apps are using OpenSSL via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL"")
2. Please update all statically linked versions of OpenSSL to 1.0.1h, 1.0.0m, or 0.9.8za. (Note by jww: this version will change over time as new versions of OpenSSL are released).
3. If you are using a 3rd party library that bundles OpenSSL, please notify the 3rd party and work with them to address this.

When you get this message, you should update both the NDK and IDE you are using. I've seen reports of some versions of the NDK including a downlevel header. I also suspect the IDE you are using could be providing a downlevel OpenSSL version (I don't use the IDEs on Android, so I have not encountered it).

If you are not directly using OpenSSL, then the SDKs are providing the vulnerable version of OpenSSL. In this case, you should update your SDKs. If you need to locate the downlevel OpenSSL among SDKs, then see How to check which dependancy causes OpenSSL vulnerability.

Google also provides Updating Your Security Provider to Protect Against SSL Exploits, but I suspect it will still trigger the message because it appears to be a basic string search.

Its often easier to update everything rather than trying to figure out who is providing the down level version of OpenSSL. After you spend the time to determine who is providing it, your actionable item is the same: update the SDK. So why waste time on it; just update all of them and enjoy the other bug fixes, too.

---

There are still open questions, though: if one uses the cryptography from libcrypto (for example (RAND_bytes or EVP_encrypt) and not the SSL/TLS functions from libssl (for example, SSL_connect), will it still trigger the warning? That is, is Google scanning for use of vulnerable functions, or is Google scanning for OpenSSL version via strings.