Problem: Google refuses to publish the application on Google.Play . Reason: The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za .

Used by Android Studio 1.5 , Windows 7 . All packages are updated to the latest versions.

Tell me how to update OpenSSL ? Thank you very much for the help!

Application code:

 import java.io.BufferedReader; import java.io.DataOutputStream; import java.io.InputStreamReader; import java.net.URL; import java.security.SecureRandom; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; public class DBAction { DBAction() { } public static String getData(String id, String passkey, String command, String param){ String response = ""; try { String q = "https://myserver.com"; HostnameVerifier TRUST_ALL_CERTIFICATES = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; SSLContext Cur_SSL_Context = null; try { Cur_SSL_Context = SSLContext.getInstance("TLS"); Cur_SSL_Context.init(null, new TrustManager[] { new X509_Trust_Manager() }, new SecureRandom()); } catch (Exception e) { e.printStackTrace(); } HttpsURLConnection.setDefaultHostnameVerifier(TRUST_ALL_CERTIFICATES); HttpsURLConnection.setDefaultSSLSocketFactory(Cur_SSL_Context.getSocketFactory()); URL url = new URL(q); HttpsURLConnection httpsURLConnection= (HttpsURLConnection) url.openConnection(); httpsURLConnection.setRequestMethod("POST"); httpsURLConnection.setDoOutput(true); String urlParameters =DBHelper.PARAM_POST_ID+"="+id+ "&" + DBHelper.PARAM_POST_PASSKEY + "="+passkey; if (param != null) { urlParameters += "&"; urlParameters += DBHelper.PARAM_POST_PARAM; urlParameters += "="; urlParameters = param; } DataOutputStream wr = new DataOutputStream(httpsURLConnection.getOutputStream()); wr.writeBytes(urlParameters); wr.flush(); wr.close(); BufferedReader in = new BufferedReader( new InputStreamReader(httpsURLConnection.getInputStream())); String inputLine; StringBuffer stringBuffer = new StringBuffer(); while ((inputLine = in.readLine()) != null) { stringBuffer.append(inputLine); } in.close(); int responseCode = httpsURLConnection.getResponseCode(); response = stringBuffer.toString(); } catch (Exception e) { System.out.print("Exception = " + e); } return response; } private static class X509_Trust_Manager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {} @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {} @Override public X509Certificate[] getAcceptedIssuers() { return null; } }; }

UPD : The '$ unzip -p YourApp.apk recommended by Google command | strings | grep "OpenSSL" 'gives an empty result

UPD2 : libs is empty

 dependencies { compile fileTree(dir: 'libs', include: ['*.jar']) testCompile 'junit:junit:4.12' compile 'com.android.support:appcompat-v7:23.1.1' compile 'com.android.support:recyclerview-v7:23.1.1' }
  • What libraries are connected? The problem is not in Android Studio. Probably some kind of library will link statically with the old version of OpenSSL. - Suvitruf
  • And what version of build tools? And in general, what versions are used? Show the whole build.gradle. - xkor

1 answer 1

If you need to update the native libraries, there are two ways:

  1. Find ready .so libraries and connect them to the project as NDK dependencies; then explicitly in code call System.loadLibrary("yourlib"); (do not forget to catch exceptions that this function may throw)
  2. Take the source of libraries, separately collect these libraries, then go to step 1

IMPORTANT :

It must be remembered that there is such a parameter as ABI ( more details here ). It is controlled during the gradle build with the gradle parameter. All architectures should have their own library, which should be located in the appropriate folder.