问题描述
我刚刚发现了一条安全警报,指出您的应用正在使用含有安全漏洞的OpenSSL版本和此文章的链接:
我做了一个grep命令来查找在apk中使用的OpenSSL版本
unzip -p YourApp.apk |字符串| grepOpenSSL
我发现应用程序使用 OpenSSL 1.0.1k 2015年1月8日
问题是,我没有明确使用任何OpenSSL类,也没有依赖关系。所以可能其他的一些依赖使用旧的OpenSSL版本,但我不知道,我怎么能找到什么库使用OpenSSL依赖。
我试图用这个命令找到哪个库使用OpenSSL ./../ gradlew -q dependencies
,但是根本没有任何OpenSSL ..
我对于使用整个依赖列表的应用程序有这个问题。在寻找答案之后,这对我来说很有用:
我创建了一个名为findopenssl.sh的脚本(我在另一个SO答案中找到了这个脚本,但没有引用作者 - 同样,将myhomedirectory更改为您想要工作的目录,我使用了我的主文件夹,因为它使终端的生活变得更加简单)。该脚本将识别引用OpenSSL的APK中的文件,以及那些实施Heartbeat功能的文件,这些文件被认为是安全风险):
#!/ bin / bash
sslworkdir =myhomedirectory
if [! -d $ sslworkdir];然后
mkdir $ sslworkdir
fi
unzip -q$ 1-d $ sslworkdir
#设置分隔符以忽略空格
IFS = $'\r\ n'
#创建一个OpenSSL版本字符串数组
opensslarr =($(egrep --binary-files = text -o -R -eOpenSSL\s\d + \.\ d + \\\\\ + +\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ /
if [$ {#opensslarr [@]} -gt 0];然后
echoFound OpenSSL versions
printf%s\\\
$ {opensslarr [@]}
heartbeatarr =($(grep -R -E(tls1_process_heartbeat | dtls1_process_heartbeat | dtls1_heartbeat | tls1_hearbeat)$ sslworkdir / *))
#Stackoverflow语法高亮显示修复关闭'block comment'* /
if [$ {#heartbeatarr [@]} -gt 0];然后
echo包含心跳方法的文件:
printf%s\\\
$ {heartbeatarr [@]}
else
echo没有库包含心跳方法
fi
else
echo未找到OpenSSL
fi
rm -rf $ sslworkdir
我将我的apk复制到我的主目录,并在终端窗口中运行脚本:
sh findopenssl.sh myappname.apk
在我的情况下,一个名为libportsip_core.so的库文件引用了旧版本的openssl。
我找到了两个版本的libportsip_core.so(armv7和x86)并删除了它们。然后,我再次清理,重建并构建了我的apk并再次运行脚本。这很好,我成功地提交到Play商店。
I just found a security alert saying "Your app is using a version of OpenSSL containing a security vulnerability." and links to this article:
I did a grep command to find the OpenSSL version that is used in the apk unzip -p YourApp.apk | strings | grep "OpenSSL"
and I found that the app is using OpenSSL 1.0.1k 8 Jan 2015
The problem is, that I'm not explicitly using any OpenSSL classes and I do not have it in dependencies. So probably some of the other dependencies is using old OpenSSL version, but I do not know, how I can find what library is using OpenSSL dependency.I tried to find which library is using OpenSSL with this command ./../gradlew -q dependencies
but there is not any OpenSSL at all..
I had this problem for an app that was using a whole list of dependencies. After much searching for answers, this is what worked for me:
I created script called findopenssl.sh (I found this in another SO answer somewhere but don't have the reference to credit the author - also, change myhomedirectory to whatever is the directory you want to work in, I used my home folder as it just made life easier in the Terminal). This script will identify files in your apk that reference OpenSSL and also those that implement the Heartbeat functions that are considered a security risk):
#!/bin/bash
sslworkdir="myhomedirectory"
if [ ! -d $sslworkdir ]; then
mkdir $sslworkdir
fi
unzip -q "$1" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'\r\n'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSL\s\d+\.\d+\.\d+\w+\s\d+\s\w+\s\d+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
echo "Found OpenSSL versions"
printf "%s\n" "${opensslarr[@]}"
heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#heartbeatarr[@]} -gt 0 ]; then
echo "Files that contains heartbeat methods:"
printf "%s\n" "${heartbeatarr[@]}"
else
echo "No libraries contain heartbeat methods"
fi
else
echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir
I copied my apk to my home directory and ran the script in a Terminal window with:
sh findopenssl.sh myappname.apk
In my case, this identified a library file called libportsip_core.so as having references to an older version of openssl.
I found two versions of libportsip_core.so (armv7 and x86) and deleted both of them. I then cleaned, rebuilt and built my apk again and ran the script again. It was then fine and I submitted successfully to the Play Store.
这篇关于Android Google Play旧的OpenSSL警告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!