Hi, I got an OpenSSL vulnerability warning in Google Developer account for one of the app I have uploaded. I was using JavaCV library which was prone to the vulnerability. I updated the JavaCV library version to resolve the issue. The issue still exist after I updated JavaCV version, but then I checked using the terminal command found here <https://support.google.com/faqs/answer/6376725?hl=en> I was still getting the same result as earlier so I am guessing there are some other libraries in the project which uses OpenSSL. The command I executed and the result is:
unzip -p /Users/user/Desktop/app-debug.apk | strings | grep "OpenSSL" GmsCore_OpenSSL +com.android.org.conscrypt.OpenSSLSocketImpl 7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl OpenSSL 1.0.2h 3 May 2016 %s(%d): OpenSSL internal error, assertion failed: %s OpenSSL DH Method OpenSSL X9.42 DH method OpenSSL PKCS#3 DH method OpenSSL CMAC method OpenSSL HMAC method OpenSSL EC algorithm OpenSSL RSA method OpenSSL DSA method OpenSSL ECDSA method OpenSSL ECDH method You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html OpenSSL default OpenSSL default user interface OpenSSL 'dlfcn' shared library method TLSv1 part of OpenSSL 1.0.2h 3 May 2016 SSLv3 part of OpenSSL 1.0.2h 3 May 2016 DTLSv1 part of OpenSSL 1.0.2h 3 May 2016 MD5 part of OpenSSL 1.0.2h 3 May 2016 SHA1 part of OpenSSL 1.0.2h 3 May 2016 SHA-256 part of OpenSSL 1.0.2h 3 May 2016 SHA-512 part of OpenSSL 1.0.2h 3 May 2016 Big Number part of OpenSSL 1.0.2h 3 May 2016 EC part of OpenSSL 1.0.2h 3 May 2016 (1RSA part of OpenSSL 1.0.2h 3 May 2016 Diffie-Hellman part of OpenSSL 1.0.2h 3 May 2016 Stack part of OpenSSL 1.0.2h 3 May 2016 lhash part of OpenSSL 1.0.2h 3 May 2016 EVP part of OpenSSL 1.0.2h 3 May 2016 ASN.1 part of OpenSSL 1.0.2h 3 May 2016 PEM part of OpenSSL 1.0.2h 3 May 2016 X.509 part of OpenSSL 1.0.2h 3 May 2016 DES part of OpenSSL 1.0.2h 3 May 2016 libdes part of OpenSSL 1.0.2h 3 May 2016 AES part of OpenSSL 1.0.2h 3 May 2016 RC2 part of OpenSSL 1.0.2h 3 May 2016 IDEA part of OpenSSL 1.0.2h 3 May 2016 CAMELLIA part of OpenSSL 1.0.2h 3 May 2016 EDSA part of OpenSSL 1.0.2h 3 May 2016 ECDSA part of OpenSSL 1.0.2h 3 May 2016 ECDH part of OpenSSL 1.0.2h 3 May 2016 RAND part of OpenSSL 1.0.2h 3 May 2016 CONF part of OpenSSL 1.0.2h 3 May 2016 CONF_def part of OpenSSL 1.0.2h 3 May 2016 TXT_DB part of OpenSSL 1.0.2h 3 May 2016 RC4 part of OpenSSL 1.0.2h 3 May 2016 SHA-256 part of OpenSSL 1.0.1p 9 Jul 2015 cU! }AES part of OpenSSL 1.0.1p 9 Jul 2015 Is the last two lines is of any concern(1.0.1p) ? If there are some other libraries in the project that uses OpenSSL how do I find out which one?! My app level gradle file is as shown below: buildscript { repositories { jcenter() mavenCentral() maven { url 'https://maven.fabric.io/public' } } dependencies { classpath 'io.fabric.tools:gradle:1.19.1' classpath 'com.neenbedankt.gradle.plugins:android-apt:1.7' classpath "io.realm:realm-gradle-plugin:0.87.5" } } apply plugin: 'com.android.application' apply plugin: 'io.fabric' apply plugin: 'findbugs' apply plugin: 'checkstyle' apply plugin: 'pmd' apply plugin: 'com.neenbedankt.android-apt' apply plugin: 'realm-android' check.dependsOn 'findbugs', 'checkstyle', 'pmd' ext.vMajor = 1 ext.vMinor = 2 repositories { maven { url 'https://maven.fabric.io/public' } } android { compileSdkVersion 23 buildToolsVersion '23.0.3' defaultConfig { applicationId "com.app.app" minSdkVersion 16 targetSdkVersion 22 versionName computeVersionName() versionCode computeVersionCode() multiDexEnabled true renderscriptTargetApi 20 ndk { abiFilters "armeabi-v7a" } renderscriptSupportModeEnabled true resConfigs "en" } buildTypes { release { minifyEnabled false proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' ext.enableCrashlytics = true ext.betaDistributionReleaseNotes = "" ext.betaDistributionEmails = "" } /* debug { minifyEnabled false proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' ext.enableCrashlytics = true ext.betaDistributionReleaseNotes = "Debug Release one" ext.betaDistributionEmails = "a...@gmail.com" }*/ } android { lintOptions { disable 'RtlHardcoded', 'RtlSymmetry' abortOnError false } } android { aaptOptions { cruncherEnabled = false } } } def computeVersionName() { return String.format('%d.%d.%d', 1, 3, 3) } def computeVersionCode() { return 4; } task checkstyle(type: Checkstyle) { configFile file("${project.rootDir}/config/quality/checkstyle/checkstyle-config.xml") source 'src' include '**/*.java' exclude '**/gen/**' exclude '**/org/jivesoftware/smack/**' classpath = files() } task findbugs(type: FindBugs) { ignoreFailures = true effort = "max" reportLevel = "high" excludeFilter = new File("${project.rootDir}/config/quality/findbugs/findbugs-filter.xml") classes = files("$project.buildDir/intermediates/classes/") source 'src' include '**/*.java' exclude '**/gen/**' exclude '**/org/jivesoftware/smack/**' reports { xml { destination "$project.buildDir/reports/findbugs/findbugs.xml" xml.withMessages true } } classpath = files() } task pmd(type: Pmd) { ruleSetFiles = files("${project.rootDir}/config/quality/pmd/pmd-ruleset.xml") ignoreFailures = true source 'src' include '**/*.java' exclude '**/gen/**' exclude '**/org/jivesoftware/smack/**' reports { xml.enabled = true html.enabled = false } } check << { File outDir = new File('build/reports/pmd/') // Make sure the output dir exists to prevent a ReportException outDir.mkdirs() ant.taskdef(name: 'cpd', classname: 'net.sourceforge.pmd.cpd.CPDTask', classpath: configurations.pmd.asPath) ant.cpd(minimumTokenCount: '100', format: 'xml', outputFile: new File(outDir, 'cpd.xml')) { fileset(dir: "src/main/java") { include(name: '**/*.java') } } } android { packagingOptions { exclude 'META-INF/services/javax.annotation.processing.Processor' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.properties' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.properties' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/1.2/javacpp-presets-1.2.pom.xml' pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/org.bytedeco.javacpp-presets-1.2.pom.xml' } } dependencies { compile fileTree(include: ['*.jar'], dir: 'libs') compile files('libs/native-libs/native-libs.jar') compile('com.crashlytics.sdk.android:crashlytics:2.5.5@aar') { transitive = true; } compile('com.twitter.sdk.android:tweet-composer:1.0.3@aar') { transitive = true; } compile('com.twitter.sdk.android:twitter:1.13.0@aar') { transitive = true; } apt "org.parceler:parceler:1.0.3" compile 'com.facebook.android:facebook-android-sdk:4.9.0' compile files('libs/jxmpp-core-0.4.2.jar') compile 'com.android.support:appcompat-v7:23.2.1' compile 'com.android.support:cardview-v7:23.2.1' compile 'com.android.support:multidex:1.0.1' compile 'com.android.support:recyclerview-v7:23.2.1' compile 'com.android.support:design:23.2.1' compile 'com.android.support:support-v4:23.2.1' compile 'com.google.android.gms:play-services-gcm:9.0.0' compile 'com.google.code.gson:gson:2.4' compile 'com.google.android.exoplayer:exoplayer:r1.5.7' compile 'com.google.android.gms:play-services-location:9.0.0' compile 'com.google.android.gms:play-services-maps:9.0.0' compile 'com.squareup.retrofit:retrofit:1.9.0' compile 'com.squareup.okhttp:okhttp:2.3.0' compile 'de.greenrobot:eventbus:2.4.0' compile 'com.amazonaws:aws-android-sdk-core:2.2.9' compile 'com.amazonaws:aws-android-sdk-s3:2.2.9' compile 'de.hdodenhof:circleimageview:1.3.0' compile 'com.github.bumptech.glide:glide:3.6.1' compile 'com.github.bumptech.glide:okhttp-integration:1.3.1@aar' compile 'jp.wasabeef:glide-transformations:1.0.8' compile 'com.cocosw:bottomsheet:1.+@aar' compile 'com.timehop.stickyheadersrecyclerview:library:0.4.3' compile 'org.parceler:parceler-api:1.0.3' compile 'me.zhanghai.android.materialprogressbar:library:1.1.4' /*compile 'commons-io:commons-io:2.4'*/ compile 'com.flipboard:bottomsheet-core:1.5.0' compile 'commons-lang:commons-lang:2.3' compile files('libs/video_recording/opencv.jar') compile files('libs/video_recording/javacv.jar') compile files('libs/video_recording/javacpp.jar') compile files('libs/video_recording/ffmpeg.jar') compile files('libs/commons-io-2.5.jar') } task nativeLibsToJar( type: Jar, description: 'create a jar archive of the native libs') { destinationDir file("libs/native-libs") baseName 'native-libs' from fileTree(dir: "libs", include: '**/*.so') into 'lib/' } apply plugin: 'com.google.gms.google-services' Thank you in advance. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. To post to this group, send email to android-developers@googlegroups.com. Visit this group at https://groups.google.com/group/android-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/android-developers/0f7f8df2-33de-4a21-ae40-91684527e851%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
