OpenSSL 1.1.1b security warning on Google Play

[StudentGGG]

On my last app update I got a security warning from Google play:

Defective OpenSSL version: Your app uses a defective version of the OpenSSL library, which can cause your app to crash. Update to a fixed version of OpenSSL. Defective versions: OpenSSL 1.1.1b

I suspect it comes from chaquopy because using this trick I could track down that most usage of OpenSSL comes from Chaquopy
https://stackoverflow.com/questions/24197777/google-play-and-openssl-warning-message

Apparently there is a fix in OpenSSL 1.1.1i or higher:
https://support.google.com/faqs/answer/12576638

I am using Chaquopy 12.0.
Could you confirm whether Chaquopy 12.0 uses OpenSSL 1.1.1.b or not?
If yes, is there a plan to publish a fix ?

[mhsmith]

Yes, Chaquopy's Python 3.8 build does use this version of OpenSSL. We'll shortly be releasing a new Chaquopy version which adds support for Python 3.9, 3.10 and 3.11. All of these will use OpenSSL 3, which will resolve this issue.

We're not planning to update the OpenSSL version of Python 3.8 in the next Chaquopy release, but we'll do it in the release after that.

[mhsmith]

Here's how to make your own build to remove the Google Play warning:

Use a Linux machine: a cheap virtual server from somewhere like DigitalOcean will do just fine.

Find this section of Common.java:

chaquopy/product/buildSrc/src/main/java/com/chaquo/python/Common.java

Lines 15 to 16 in 1814160

	// Version, build number
	PYTHON_VERSIONS.put("3.8.13", "2");

And set the build number as follows:

• 1 for Chaquopy 12.0
• 2 for Chaquopy 13.0

Install Docker using the instructions on its website, then:

cd chaquopy/target
docker build -t chaquopy-target .

Download the Android SDK command-line tools from here, and set them up as follows (replace PATH/TO with the correct location):

mkdir -p android-sdk/cmdline-tools
cd android-sdk/cmdline-tools
unzip PATH/TO/commandlinetools-linux-8512546_latest.zip
mv cmdline-tools latest

Find this section of target/build-all.sh:

chaquopy/target/build-all.sh

Lines 25 to 26 in 1814160

	./for-each-abi.sh openssl/build.sh 1.1.1b
	python/build-and-package.sh 3.8

And edit it as follows:

• Change the OpenSSL version to something newer, e.g. 1.1.1r.
• Comment out the bottom section of the file which builds OpenSSL 3 and Python 3.9-3.11.

Run the build (replace PATH/TO with the correct location):

cd chaquopy
docker run -it -v PATH/TO/android-sdk:/root/android-sdk -v $(pwd)/target:/root/target -v $(pwd)/product:/root/product -v $(pwd)/maven:/root/maven chaquopy-target

You should now have some Python 3.8 packages in chaquopy/maven. To use them:

• Find the pluginManagement { repositories } section of your app's settings.gradle file, or the buildscript { repositories } section of your build.gradle file.
• At the start of the repositories section, add the following line (replace PATH/TO with the correct location):

  maven { url "PATH/TO/chaquopy/maven" }
  

• Rebuild your app.

[mhsmith]

This issue was fixed in Chaquopy 14.0.2. To upgrade, edit your app's top-level build.gradle file and change the version number of com.chaquo.python.

[mhsmith]

This warning may also be produced by older versions of the cryptography package, which were linked statically against OpenSSL 1.1 on all Python versions. To fix this:

• Set your app's Python version to 3.10 or later.
• Set your cryptography version to 42.0.8 or later.