Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Google Play rejects APPs with OpenSSL Vulnerability


This question is answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 23 - Last Post: Oct 20, 2016 2:48 AM Last Post By: SGBr Sistemas S...
László Mlnvszky

Posts: 106
Registered: 10/21/09
Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 30, 2016 1:56 AM
Google Play rejects APPS uploaded since today:
OpenSSL: The vulnerabilities were addressed in OpenSSL 1.02f/1.01r.

Possible because of Indy components, but not sure. Not using any SSL feature.

How to update the Android SSL files for Delphi Berlin?
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 30, 2016 12:40 PM   in response to: László Mlnvszky in response to: László Mlnvszky
László wrote:

Google Play rejects APPS uploaded since today:

OpenSSL: The vulnerabilities were addressed in OpenSSL 1.02f/1.01r.

Possible because of Indy components, but not sure. Not using
any SSL feature.

Indy is not dependant on any particular version of OpenSSL. You simply have
to deploy up-to-date OpenSSL libraries with your app. Android libraries
for OpenSSL 1.0.1t and 1.0.2h are available at https://indy.fulgan.com/SSL/.

--
Remy Lebeau (TeamB)
László Mlnvszky

Posts: 106
Registered: 10/21/09
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 3, 2016 4:21 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
László wrote:

Google Play rejects APPS uploaded since today:

OpenSSL: The vulnerabilities were addressed in OpenSSL 1.02f/1.01r.

Possible because of Indy components, but not sure. Not using
any SSL feature.

Indy is not dependant on any particular version of OpenSSL. You simply have
to deploy up-to-date OpenSSL libraries with your app. Android libraries
for OpenSSL 1.0.1t and 1.0.2h are available at https://indy.fulgan.com/SSL/.

--

Where should I copy those new libssl.so files?

I still can't upload my new APK to Google Play ...
Remy Lebeau (TeamB)
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 3, 2016 9:02 AM   in response to: László Mlnvszky in response to: László Mlnvszky
László wrote:

Where should I copy those new libssl.so files?

I would think the '.\assets\internal' folder in the Deployment Manager would
suffice

http://docwiki.embarcadero.com/RADStudio/en/Creating_an_Android_App#Loading_and_Deploying_Files

And then pass the return value of TPath.GetDocumentsPath() to IdOpenSSLSetLibPath().

I still can't upload my new APK to Google Play ...

Why not?

--
Remy Lebeau (TeamB)
László Mlnvszky

Posts: 106
Registered: 10/21/09
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 4, 2016 12:01 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
László wrote:

Where should I copy those new libssl.so files?

I would think the '.\assets\internal' folder in the Deployment Manager would
suffice

http://docwiki.embarcadero.com/RADStudio/en/Creating_an_Android_App#Loading_and_Deploying_Files

And then pass the return value of TPath.GetDocumentsPath() to IdOpenSSLSetLibPath().

I still can't upload my new APK to Google Play ...

Why not?

--
Remy Lebeau (TeamB)

Sound good, but the problem is I'm not even using idOpenSSL in my APK ...
I wonder why Google rejects the APP or what to upgrade.
László Mlnvszky

Posts: 106
Registered: 10/21/09
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 5, 2016 1:02 AM   in response to: László Mlnvszky in response to: László Mlnvszky
László Mlnvszky wrote:
Remy Lebeau (TeamB) wrote:
László wrote:

Where should I copy those new libssl.so files?

I would think the '.\assets\internal' folder in the Deployment Manager would
suffice

http://docwiki.embarcadero.com/RADStudio/en/Creating_an_Android_App#Loading_and_Deploying_Files

And then pass the return value of TPath.GetDocumentsPath() to IdOpenSSLSetLibPath().

I still can't upload my new APK to Google Play ...

After searching all my source codes, I have narrowed it to the Interbase library. In "libtogo.a" there are string parts containing "OpenSSL 1.0.1i" which triggers the rejection automatically as it is packed into the apps "myapp.so" file.

How can I get a newer version from libtogo.a which is uses a newer Openssl, maybe 1.0.1u?

Why not?

--
Remy Lebeau (TeamB)

Sound good, but the problem is I'm not even using idOpenSSL in my APK ...
I wonder why Google rejects the APP or what to upgrade.
Eli M

Posts: 1,346
Registered: 11/9/13
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 5, 2016 7:12 AM   in response to: László Mlnvszky in response to: László Mlnvszky
You may have to open a support case with Embarcadero for this. You should have 3-6 a year w/ your Update Subscription.
Markus Humm

Posts: 5,113
Registered: 11/9/03
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 5, 2016 10:30 AM   in response to: Eli M in response to: Eli M
Am 05.10.2016 um 16:12 schrieb Eli M:
You may have to open a support case with Embarcadero for this. You should have 3-6 a year w/ your Update Subscription.

Hello,

before going down that route it might be wise to fill in a
quality.embarcadero.com report first and in the support case you can
refer to that then. Maybe wait 1-2 days between that so that the QP
report has been opened already.

Greetings

Markus
Jako Grobler

Posts: 45
Registered: 6/26/15
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 6, 2016 2:50 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
It looks like Google now scans for any OpenSSL version text references anywhere in the APK. In the "libibtogo.a" for Android is a lot of "OpenSSL 1.0.1i" texts. It is the same that shows up if you disassemble the APK generated by Delphi Berlin. Even if you deploy the latest standalone OpenSSL library files it seems Google is still detecting that older text.
Ovidiu Popa

Posts: 13
Registered: 9/17/10
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 6, 2016 12:30 AM   in response to: László Mlnvszky in response to: László Mlnvszky
Hi all
after i read some of the forum Q and A regarding this problem (i have it myself) i try to do a small project to see if I get a workaround.

I work with Delphi Berlin (no update 1).
FXM project

program VerifySSL;

uses
System.StartUpCopy,
FMX.Forms,
IdSSLOpenSSLHeaders,
system.ioutils,
formMain in 'formMain.pas' {frmMain};

{$R *.res}

begin
{$IFDEF ANDROID}
IdOpenSSLSetLibPath(System.IOUtils.TPath.GetDocumentsPath);
{$ENDIF}
{$IFDEF WIN64}
IdOpenSSLSetLibPath('C:\CRAP\');// working Ok
{$ENDIF}

Application.Initialize;
Application.CreateForm(TfrmMain, frmMain);
Application.Run;
end.


unit formMain;

interface

uses
System.SysUtils, System.Types, System.UITypes, System.Classes, System.Variants,
FMX.Types, FMX.Controls, FMX.Forms, FMX.Graphics, FMX.Dialogs,
FMX.Controls.Presentation, FMX.StdCtrls, IdBaseComponent, IdComponent,
IdTCPConnection, IdTCPClient, IdHTTP, System.IOUtils, IdSSLOpenSSLHeaders, IdSSLOpenSSL;

type
TfrmMain = class(TForm)
Button1: TButton;
IdHTTP1: TIdHTTP;
Button2: TButton;
Button3: TButton;
procedure Button1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
procedure Button3Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;

var
frmMain: TfrmMain;

implementation

{$R *.fmx}

procedure TfrmMain.Button1Click(Sender: TObject);
begin
Showmessage(OpenSSLVersion);
end;

procedure TfrmMain.Button2Click(Sender: TObject);
begin
ShowMessage(WhichFailedToLoad);
end;

procedure TfrmMain.Button3Click(Sender: TObject);
begin
if fileexists(tpath.combine(system.ioutils.TPath.GetDocumentsPath, 'libssl.so')) then begin
ShowMessage('yes');//
end else begin
ShowMessage('no');
end;
end;

end.

in the deployment section I included the libssl.so and libcrypto.so to deploy into the "assets\internal" ... once with '.\' and once widhout '.\'

1. the files are deployed. button3 verify this and the message is yes.
2. WhichFailedToLoad returns empty
3. OpenSSLVersion return an older version ... 1.0.1c May 2012

on another computer Delphi Berlin with update 1 the version is a little newer is from 2013.

my conclusion is that no lib is loaded from deployed files.
what else can I do ?
Razvan

Chris Dunn

Posts: 160
Registered: 8/22/11
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 6, 2016 6:45 AM   in response to: Ovidiu Popa in response to: Ovidiu Popa
Ovidiu Popa wrote:
Hi all
after i read some of the forum Q and A regarding this problem (i have it myself) i try to do a small project to see if I get a workaround.

The only workaround is not to use interbase.

If you:
1. create a new project
2. add featured files (Interbase ToGO)
3. drop a TDFConnection on the form
4. Set the DriverName to "IBLite"
5. build the application for android

-----Result of grep search on APK-------------
$ unzip -p Project1.apk | strings | grep "OpenSSL"
OpenSSL
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL 1.0.1i 6 Aug 2014
OpenSSL default user interface
OpenSSL default
EVP part of OpenSSL 1.0.1i 6 Aug 2014
lhash part of OpenSSL 1.0.1i 6 Aug 2014
SHA1 part of OpenSSL 1.0.1i 6 Aug 2014
SHA-256 part of OpenSSL 1.0.1i 6 Aug 2014
DlSHA-512 part of OpenSSL 1.0.1i 6 Aug 2014
Stack part of OpenSSL 1.0.1i 6 Aug 2014
}AES part of OpenSSL 1.0.1i 6 Aug 2014
ASN.1 part of OpenSSL 1.0.1i 6 Aug 2014
Big Number part of OpenSSL 1.0.1i 6 Aug 2014
Diffie-Hellman part of OpenSSL 1.0.1i 6 Aug 2014
DSA part of OpenSSL 1.0.1i 6 Aug 2014
^ECDH part of OpenSSL 1.0.1i 6 Aug 2014
ECDSA part of OpenSSL 1.0.1i 6 Aug 2014
RAND part of OpenSSL 1.0.1i 6 Aug 2014
RSA part of OpenSSL 1.0.1i 6 Aug 2014
X.509 part of OpenSSL 1.0.1i 6 Aug 2014
OpenSSL 1.0.1i 6 Aug 2014
OpenSSL initialization failed
Error -- OpenSSL initialization failed! - Out of Memory
Error initializing OpenSSL
Error -- OpenSSL initialization failed!
EDES part of OpenSSL 1.0.1i 6 Aug 2014
libdes part of OpenSSL 1.0.1i 6 Aug 2014
PEM part of OpenSSL 1.0.1i 6 Aug 2014
SSLv2 part of OpenSSL 1.0.1i 6 Aug 2014
(((((sSSLv3 part of OpenSSL 1.0.1i 6 Aug 2014
TLSv1 part of OpenSSL 1.0.1i 6 Aug 2014
CONF part of OpenSSL 1.0.1i 6 Aug 2014
DTLSv1 part of OpenSSL 1.0.1i 6 Aug 2014
IDEA part of OpenSSL 1.0.1i 6 Aug 2014
RC2 part of OpenSSL 1.0.1i 6 Aug 2014
nopqrsTXT_DB part of OpenSSL 1.0.1i 6 Aug 2014
CAMELLIA part of OpenSSL 1.0.1i 6 Aug 2014
CONF_def part of OpenSSL 1.0.1i 6 Aug 2014
MD5 part of OpenSSL 1.0.1i 6 Aug 2014
RC4 part of OpenSSL 1.0.1i 6 Aug 2014
MD4 part of OpenSSL 1.0.1i 6 Aug 2014
RIPE-MD160 part of OpenSSL 1.0.1i 6 Aug 2014
SHA part of OpenSSL 1.0.1i 6 Aug 2014
Blowfish part of OpenSSL 1.0.1i 6 Aug 2014
:CAST part of OpenSSL 1.0.1i 6 Aug 2014
Chris Dunn

Posts: 160
Registered: 8/22/11
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 6, 2016 11:17 AM   in response to: Ovidiu Popa in response to: Ovidiu Popa
Ovidiu Popa wrote:
Hi all
after i read some of the forum Q and A regarding this problem (i have it myself) i try to do a small project to see if I get a workaround.

I work with Delphi Berlin (no update 1).
FXM project

program VerifySSL;

Try running this on android 6 if you want to load an OpenSSL with indy library. android 4 and 5 have there own openssl versions.
but this will not solve the app submission at the moment because it has nothing to do with indy.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 6, 2016 12:19 PM   in response to: Chris Dunn in response to: Chris Dunn
Chris wrote:

Try running this on android 6 if you want to load an OpenSSL
with indy library. android 4 and 5 have there own openssl versions.

Apps can freely use their own OpenSSL libs on Android 5 and earlier, such
as if they want to use a newer OpenSSL version than what ships in Android.
It is on Android 6 and later that this becomes more of a problem, due to
Google switching Android to use BoringSSL instead of OpenSSL for its native
SSL/TLS support. BoringSSL conflicts with app's local copies of OpenSSL.

--
Remy Lebeau (TeamB)
Chris Dunn

Posts: 160
Registered: 8/22/11
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 6, 2016 12:27 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Apps can freely use their own OpenSSL libs on Android 5 and earlier, such
as if they want to use a newer OpenSSL version than what ships in Android.
It is on Android 6 and later that this becomes more of a problem, due to
Google switching Android to use BoringSSL instead of OpenSSL for its native
SSL/TLS support. BoringSSL conflicts with app's local copies of OpenSSL.

--
Remy Lebeau (TeamB)

If you attempt to load the Openssl libraries on android 5 and lower it does not load. SSLVersion always returns native openssl version on those devices that dont have boringssl. At least with Indy anyway.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Google Play rejects APPs with OpenSSL Vulnerability [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 6, 2016 1:55 PM   in response to: Chris Dunn in response to: Chris Dunn
Chris wrote:

If you attempt to load the Openssl libraries on android 5 and lower it
does not load. SSLVersion always returns native openssl version on
those devices that dont have boringssl. At least with Indy anyway.

That has not been my experience. Are you forgetting to call IdOpenSSLSetLibPath()
to tell Indy to load your app's local OpenSSL libs instead of the system's
native libs?

--
Remy Lebeau (TeamB)
László Mlnvszky

Posts: 106
Registered: 10/21/09
Re: Google Play rejects APPs with OpenSSL Vulnerability [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 7, 2016 3:50 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
Chris wrote:

If you attempt to load the Openssl libraries on android 5 and lower it
does not load. SSLVersion always returns native openssl version on
those devices that dont have boringssl. At least with Indy anyway.

That has not been my experience. Are you forgetting to call IdOpenSSLSetLibPath()
to tell Indy to load your app's local OpenSSL libs instead of the system's
native libs?

--
Remy Lebeau (TeamB)

I have to use IBLite for my APP, so not including it is not an options.
I have to wait for a new version of IbLite to arrive with the new OPENSSl.
I could include anything in the app and do whatever, as soon as I add the IB, the strings will be contained by the APK ...
Chris Dunn

Posts: 160
Registered: 8/22/11
Re: Google Play rejects APPs with OpenSSL Vulnerability [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 7, 2016 6:08 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...

That has not been my experience. Are you forgetting to call IdOpenSSLSetLibPath()
to tell Indy to load your app's local OpenSSL libs instead of the system's
native libs?

I'm not forgetting anything. Its always been this way since I had to workaround boringssl and create OpenSSL Shared Libraries.
Dave Nottage

Posts: 1,850
Registered: 1/7/00
Re: Google Play rejects APPs with OpenSSL Vulnerability [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 7, 2016 4:35 PM   in response to: Chris Dunn in response to: Chris Dunn
Chris Dunn wrote:

I'm not forgetting anything.

FWIW, it works for me, using Delphi 10.1 Berlin. Note that I deploy the custom .so files to the deployment path: ./ and
use TPath.GetHomePath for the Indy SSL path.

--
Dave Nottage [MVP, TeamB]
Hints, tips and tricks at: http://www.delphiworlds.com/blog
Chris Dunn

Posts: 160
Registered: 8/22/11
Re: Google Play rejects APPs with OpenSSL Vulnerability [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 10, 2016 9:38 AM   in response to: Dave Nottage in response to: Dave Nottage

FWIW, it works for me, using Delphi 10.1 Berlin. Note that I deploy the custom .so files to the deployment path: ./ and
use TPath.GetHomePath for the Indy SSL path.

Alright guys I think everyone is confused. The deployed libraries work fine in anddroid 6 and up. The code works, the library loads, OPENSSLVERSION shows the deployed version.
The same exact code run on android 5 and lower works fine, but your deployed libraries will not load. If you check OPENSSLVERSION on android 5 and lower, it will show the native version.
This is not a problem because you are accessing ssl from the device and not deploying an older version. I think there's a namespace conflict if the device has OPENSSL instead of BORINGSSL.
Chris Dunn

Posts: 160
Registered: 8/22/11
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 7, 2016 7:12 AM   in response to: László Mlnvszky in response to: László Mlnvszky
László Mlnvszky wrote:
Google Play rejects APPS uploaded since today:
OpenSSL: The vulnerabilities were addressed in OpenSSL 1.02f/1.01r.

Possible because of Indy components, but not sure. Not using any SSL feature.

How to update the Android SSL files for Delphi Berlin?

Anyone using interbase and android should go vote for the issue you opened.
https://quality.embarcadero.com/browse/RSP-15985
Ovidiu Popa

Posts: 13
Registered: 9/17/10
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 10, 2016 7:57 AM   in response to: László Mlnvszky in response to: László Mlnvszky
Remy can you make a small and basic application so we can test ourselvs?
In my real application I work with sqlite, and idhttp.
Razvan

Edited by: Ovidiu Popa on Oct 10, 2016 7:59 AM
Chris Dunn

Posts: 160
Registered: 8/22/11
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 14, 2016 1:02 PM   in response to: László Mlnvszky in response to: László Mlnvszky
László Mlnvszky

Posts: 106
Registered: 10/21/09
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 17, 2016 7:40 AM   in response to: László Mlnvszky in response to: László Mlnvszky
The HotFix solved the problem!
SGBr Sistemas S...

Posts: 1
Registered: 10/7/16
Re: Google Play rejects APPs with OpenSSL Vulnerability  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 20, 2016 2:48 AM   in response to: László Mlnvszky in response to: László Mlnvszky
László Mlnvszky wrote:
The HotFix solved the problem!

Same here. Thank you!
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02