这是否意味着现在，如果我在谷歌Play商店更新这一新的APK，应用程序是否可以接受？

块引用>

大概也许吧。谷歌使用向警方OpenSSL的脚本是pretty哑巴。他们旗的OpenSSL的版本号，而不是使用脆弱的功能。因为没有版本信息，该脚本可能不会触发它认为是一个坏的版本。

---

  

有没有一种方法来检查，如果我的OpenSSL的版本仍然是脆弱的问题（如从谷歌播放邮件提到的）？

块引用>

是，使用字符串程序来转储OpenSSL的字符串。

---

  

有没有在我的APK正在使用的方式来获得的OpenSSL的版本（虽然，$解压-p YourApp.apk |字符串| grep的OpenSSL的，是不是能够列出的OpenSSL的版本）

块引用>

我相信你需要检查这里的乡亲OpenTok。它看起来像OpenTok切换到 BoringSSL 在的版本2.4.0 。 BoringSSL OpenSSL的是谷歌的叉。

I have an app on Google play store. Recently i got a mail subjected:

Google Play 60-day deadline for resolving OpenSSL vulnerabilities

It states that i'm using a version of OpenSSL, which is vulnerable to some issues. However, i'm not using OpenSSL directly. I'm using OpenTok library for Video chatting feature, which internally uses OpenSSL. I'm currently using openTok SDK version 2.3.1. But according to this link http://www.tokbox.com/blog/mobile-sdks-2-2-1-resolve-openssl-vulnerability/ all OpenSSL vulnerabilities were solved from SDK version 2.2.1 onwards. (I'm currently using 2.3.1, which came must later after 2.2.1)

I used the below command on my android application (APK file):

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

I got the below logs:

"OpenSSL"
GmsCore_OpenSSL
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::Error(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE, 
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::Write(
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default user interface
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::Error(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE, 
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::Write(
OpenSSL CMAC method
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL default user interface

From the above logs i get a confirmation that in my current apk, OpenTok is using OpenSSL OpenSSL 1.0.1e.

Hence i have update the OpenTok library with the latest version which comes with opentok-android-sdk-2.5.0. After integrating/updating to the new library, i execute the below command:

  $ unzip -p YourApp.apk | strings | grep "OpenSSL"

Below are the logs for the APK with update OpenTok library:

"OpenSSL"
GmsCore_OpenSSL
OpenSSL EC algorithm
OpenSSL HMAC method
OpenSSL RSA method
OpenSSLAdapter::Error(
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::Write(
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE, 
OpenSSL EC algorithm
OpenSSL HMAC method
OpenSSL RSA method
OpenSSLAdapter::Error(
OpenSSLAdapter::OnCloseEvent(
OpenSSLAdapter::OnConnectEvent
Failed to create OpenSSLCertificate from PEM string.
OpenSSLStreamAdapter::Error(
OpenSSLStreamAdapter::Write(
OpenSSLStreamAdapter::Read(
OpenSSLStreamAdapter::OnEvent SE_OPEN
OpenSSLStreamAdapter::OnEvent
OpenSSLStreamAdapter::OnEvent(SE_CLOSE,

Here, we do not see any version of OpenSSL in the obtained logs.

So my questions are:

• Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?
• Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?
• Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)

Note:

I have gone through this Google Play OpenSSL warning message post and all the solutions provided there but i'm not able to get the OpenSSL version.

Any information on this shall be really helpful. Thanks in advance.

Does it now mean that if i update this new APK on the Google play store, Will the application be accepted?

Probably to Maybe. The script Google uses to police OpenSSL is pretty dumb. They flag OpenSSL for versions numbers, and not use of vulnerable functions. Since there's no version information, the script may not trigger on what it believes to be a bad version.

---

Is there a way to check if my OpenSSL version is still vulnerable to issues (as mentioned in the mail from google play)?

Yes, use the strings program to dump the OpenSSL strings.

---

Is there a ways to get the version of OpenSSL being used in my APK (Although, $ unzip -p YourApp.apk | strings | grep "OpenSSL", was not able to list the version of OpenSSL)

I believe you need to check with the OpenTok folks here. It looks like OpenTok switched to BoringSSL at version 2.4.0. BoringSSL is Google's fork of OpenSSL.