GDK 0.0.62 (and earlier) rejected by Google PlayStore due to 'defective' openssl version

[opacey]

Hi GDK team, we are using GDK as part of an Android app for its wallet functions in a custom Elements chain.

After a few years of smooth submissions and publications, Google are rejected our latest submissions with the attached complaint that the .apk includes an unstable version of openssl.

The original complaint was based on a very old GDK library (not sure which version but from 2 or 3 years ago)
We updated to 0.0.53 which states "Update openssl to 1.1.1n", but received the same rejection response
We updated to 0.0.62 but again received the same rejection response.

I am assured by the main developer that we are not linked to openssl in any other parts of the application (I cannot be 100% confident of this though)

Has anyone else experienced this issue?
Do the PlayStore team automate all of these checks or is it possible there is wide scope for human error and they are testing an old submission?
Any help would be appreciated.

[jgriffiths]

Hi,

you can determine the compiled in openssl version using:

$ strings libgreenaddress.so | fgrep '1.1.1'
OpenSSL 1.1.1n  15 Mar 2022
OpenSSL 1.1.1n  15 Mar 2022
...

(This example on gdk 0.62). In the event that your build has somehow included openssl non-statically, run ldd on the .so file and see if openssl libs are listed as being dynamically linked. If this is happening it could be the case that the test expects either static linking or a newer openssl to be shipped with your app (for devices with insecure versions).

If neither of these offer any clues you will probably need to reach out to google to find the specifics of their tests. The Green wallets do not appear to be affected by this check.

[jgriffiths]

@opacey update: it seems that Google wants version 1.1.1t. We are testing an update to that version and will merge it to master shortly.

If you take that change, you will want to backport it to 0.62 rather than running the master branch which is not suitable for releasing from just yet.

[opacey]

ah amazing, thank you @jgriffiths , that's invaluable research and info - thanks also for prioritising the update. Will watch out for it and try the backport. I'll report back here if nay success or problems.

[jgriffiths]

@opacey gdk master is now updated with the latest openssl.

[opacey]

Looks like you've already done the work @jgriffiths! Shall I try with 0.0.62 and backport your commitments from the last few hours to it?

Edit: From a quick scan through the commits, am I right in thinking the only one I need to apply to release 0.0.62 to update to openssl 1.1.1t is this one?

0366a8d7ade4ea6d6247327b9041119e43048e87

[jgriffiths]

am I right in thinking the only one I need to apply

@opacey yes, that single commit is enough. We will be releasing a new gdk version shortly (this week) based on current master.

[opacey]

Hi @jgriffiths do you think the 0.0.63 release is on track for this week?
Also, do you know if there are plans to upgrade GDK to openssl 3.x? apparently the 1.1.1 LT series expires in Sept '23.

[jgriffiths]

Hi @opacey we are testing the candidate release (master) now. I have one bug fix I'm about to submit and one other minor issue to investigate. Unless we find some other issues during testing, everything looks on track for a release on Friday. If there is a delay, it will most likely be Monday.

[jgriffiths]

plans to upgrade GDK to openssl 3.x

This is on our radar but not currently prioritized.

[opacey]

Thanks kindly for the updates @jgriffiths !

[opacey]

Excited to see the 0.0.63 release https://github.com/Blockstream/gdk/releases/tag/release_0.0.63 however it is marked, pre-release. How long is the finalised release of 0.0.63 likely to take (roughly)? If it's this week then we will wait for it, but if it's longer we will risk the pre-release but could you give us a qualitative idea of the risk we'd be taking?

[jgriffiths]

Hi @opacey The release was delayed slightly by the American long weekend, apologies for that. We generally release gdk initially as a pre-release just for acceptance testing of the final built artifacts, this is complete now so the release is final.

Please let us know if you encounter any issues and don't forget to account for the CHANGELOG.md changes in 0.63.

[opacey]

Fantastic! Thanks so much for this help and effort.

[opacey]

Hi @jgriffiths,
I'm still getting (non-blocking, for now) warnings from the Google PlayStore of the same kind we discussed above.

Defective OpenSSL Version
Error
Issue 1 of 1

Your app uses a defective version of the OpenSSL library, which can cause your app to crash. Update to a fixed version of OpenSSL.

Defective versions:

OpenSSL 1.1.1b in lib/x86/libgreenaddress.so

We are using GDK version 0.0.64

When I run your checks above I get this output...

/lib/x86$ ldd libgreenaddress.so 
	not a dynamic executable

$ strings libgreenaddress.so | fgrep '1.1.1'
OpenSSL 1.1.1t  7 Feb 2023
Detected OpenSSL bug 7712: disabling TLS 1.3 on future connections. A fix is expected to appear in OpenSSL 1.1.1b.
OpenSSL 1.1.1t  7 Feb 2023

This middle line (which you don't get) is from some tor code. The android tor browser project was suffering the same warning and suspected that PlayStore was finding this '1.1.1b' string and erronseously concluding it was a library reference so they fixed it with this commit which removed the string:

torproject/tor@c71f31d

Is it possible GDK 0.0.64 is somehow getting this warning string from an older tor library and logging it in libgreenaddress.so ?

[jgriffiths]

Hi @opacey Looks like our tor version is affected, I will fix this in gdk master.

[opacey]

Fantastic, thanks kindly @jgriffiths!

[jgriffiths]

@opacey https://github.com/Blockstream/gdk/tree/playstore_tor_fix contains the fix, this will be merged to master shortly following our internal review and CI process.

I expect we will make a new gdk release in a couple of weeks with this change if you need an official release to work from.

[jgriffiths]

Merged to master, please re-open if this fix doesn't work for you, thanks.