Google Reject My App implement This Library With Reason: OpenSSL's Security Vulnerabilities .

[DanhDue]

I have implement this library for my app. But when I publish my app to Google Play, they reject it with reason:

This app uses software that contains security vulnerabilities for users. Below is the list of vulnerabilities and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.

Vulnerability: OpenSSL
APK Version(s): 1

The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via:

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

You can find more information and next steps in this Google Help Center article.

I have researched around internet and found warning: OpenSSL using on curl library. Then, can you update OpenSSL and rebuild lib for me?

Please help me fix it!

Thank so much!

[kieukhuongthinh]

We've got the same issue, too.
Are there anyone have a solution?

[tunahanbayindir]

Any solution?

[kieukhuongthinh]

I solved it by updating javacv to 1.2 and javacpp to 1.2.1.

[tunahanbayindir]

Can you exatcly explain how?

[kieukhuongthinh]

@tunahanbayindir :
You can follow below links to update your javacv and javacpp:

• https://github.com/bytedeco/javacv
• https://github.com/bytedeco/javacpp
• https://github.com/bytedeco/javacpp-presets/wiki/Issues-with-Build-Tools#gradle
• javacv 1.2, android 6.0.1, nexus 6: Fatal signal 11 (SIGSEGV), code 1 bytedeco/javacv#412

[tunahanbayindir]

I followed and updated but it gives me fatal signal can't load library libavutil.so, do I need to do anything wih so files?

[kieukhuongthinh]

Did you update .so files in /[touchToRecordPath]/src/main/jniLibs/ ?
And did you clean and rebuild project?

[tunahanbayindir]

Actually dont know how to update .so files, could you send me your .so files? tunahan@dodochallenger.com, that would be really helpful

[kieukhuongthinh]

You can download .so files at:

• https://github.com/bytedeco/javacv (javacv-version-bin.zip)
• https://github.com/bytedeco/javacpp (javacpp-version-bin.zip)

Unzip .zip file > extract .jar files (you can use .7zip to extract). You can find the solution on github forum of javacv or javacpp. I just did following their guides.

[devendroid]

I also struggling with this issue,
@kieukhuongthinh I added updated version of javacv and javacpp in gradle as showing in above links, but my app still showing old verison of OpenSSL 1.0.2d 9 Jul 2015,
I think i need to re build all .SO files, how i can do this ?
@tunahanbayindir did you tried this, any luck ?

[kieukhuongthinh]

@tunahanbayindir , @devsideal : I'm sorry, I wanted to explain in more details before, but I was busy. Now I write a full tutorial (what I did) for you.

First, I use Android Studio. So, if you're using Eclipse, try to find your own way.

The cause of the issue is the libavformat.so file which is using OpenSSL 1.0.2d. We need to update it. But, just updating libavformat.so will cause crashing, so we need to update all relating lib (javacv and javacpp).

• Download javacv-1.2-bin.zip and javacpp-1.2.3-bin.zip from https://github.com/bytedeco/javacv and https://github.com/bytedeco/javacpp
• Extract them and copy ffmpeg.jar, javacpp.jar, javacv.jar and opencv.jar to [touchToRecord]\libs.
• Extract ffmpeg-android-arm.jar and opencv-android-arm.jar (find them after extracting javacv-1.2-bin.zip), you will collect new version of .so files.
• Replace the old files in [touchToRecord]\src\main\jniLibs\armeabi-v7a with new version (just almost .so files will be replaced, not all of them)
• Sometimes, you need to copy javacpp-presets-1.2.pom file to [touchToRecord]\libs, too. You can search it on Google.
• Modify the build.gradle of touchToRecord module

apply plugin: 'com.android.library'

android {
    compileSdkVersion 23
    buildToolsVersion "23.0.3"

    defaultConfig {
        minSdkVersion 14
        targetSdkVersion 23
    }

    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'

        }
    }

    packagingOptions {
        exclude 'META-INF/services/javax.annotation.processing.Processor'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.properties'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/opencv/pom.xml'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.properties'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.xml'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/ffmpeg/pom.xml'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/1.2/javacpp-presets-1.2.pom.xml'
        pickFirst 'META-INF/maven/org.bytedeco.javacpp-presets/org.bytedeco.javacpp-presets-1.2.pom.xml'
    }
}

configurations {
    all*.exclude group: 'org.bytedeco', module: 'javacpp-presets'
}

repositories {
    mavenCentral()
}

dependencies {
    compile 'com.android.support:support-v4:23.2.1'
    compile files('libs/opencv.jar') //1.2
    compile files('libs/javacv.jar') //1.2
    compile files('libs/javacpp.jar') //1.2.3
    compile files('libs/ffmpeg.jar') //1.2
}

• Clean project and rebuild.

Good luck.

[devendroid]

Thanks a lot @kieukhuongthinh for your explanation, It solved the issue.

[1Dev11]

thanks @kieukhuongthinh it's help a lot

[tunahanbayindir]

anyone up? need urgent help