A while back, Google started flagging software in Google Play for providing what it believed to be vulnerable versions of OpenSSL. See, for example, "Security Alert: You are using a highly vulnerable version of OpenSSL," https://groups.google.com/d/msg/android-security-discuss/o3ymXQjdQLI/3Ssoa47R_IYJ.
Google issued the notices based on the presence OpenSSL strings. According to the folks on the Android Security team, they based it on (https://groups.google.com/d/msg/android-security-discuss/o3ymXQjdQLI/KianK6PIIagJ): $ unzip -p YourApp.apk | strings | grep "OpenSSL" I had software caught up in that because libssl and libcrypto do not provide separate strings. That is, libssl was vulnerable, libcrypto was OK, but there was no way to differentiate between use of of the two libraries. Please consider providing separate strings for libssl and libcrypto so third party policing actions can be more surgical. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
