App rejected by Play Store for old version of OpenSSL


#1

Recently, my app was rejected from the Play Store and the reason given was this


The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. To confirm your OpenSSL version, you can do a grep search for:

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

You can find more information and next steps in this [Google Help Center article](https://support.google.com/faqs/answer/6376725).

The app had v 3.5.2 of SQLCipher which in turn has OpenSSL v1.0.2g - yet it was rejected from the Play Store.

Oddly enough, the same app was accepted in a subsequent submission to the Play Store.

I bumped up the version of SQLCipher to 3.5.9 and even 4.0.1 and even in both cases, the submission/rejection from Play Store was random. It was accepted in some instances and rejected in some other instances with all 3 versions of SQLCipher.

My question is - Has anyone seen something similar ? What did you do ? I have already approached Google pertaining to this, but I’d like to hear other experiences.


#2

Hello @sriniketana - can you please make sure that there aren’t any SQLCipher libraries in app/main/jniLibs, perhaps from an older version of SQLCipher that predated the aar releases? Are you including any other libraries that might have included OpenSSL?


#3

@sjlombardo
No, there aren’t any stale libraries nor any third party libraries that add OpenSSL.
In fact, I’ve looked at the output of the
unzip -p YourApp.apk | strings | grep "OpenSSL" command and all instances point to 1.0.2g

Oddly enough, the same apk was accepted on some instances and was rejected on some instances. No change exception the versionCode of the app.


#4

Hello @sriniketana. Perhaps there is a problem with Google app analyzer? I think your contact with google is the best bet. I’m not sure if there is any other advice we can do on the SQLCipher side, as the library is not using old versions of OpenSSL, and you have already manually verified that your APK is not including any other such libraries.


#5

Thanks @sjlombardo - I agree that its most likely an issue with the way Google analyzes the apks. I understand reaching out to Google is the best way forward which I’ve already done. I opened this conversation to see if anyone else had seen similar issues and what was done to resolve it.


#6

Understood, let’s see if anyone else from the community has seen anything similar.