While publishing a new release of my app to the Google Playstore, I suddenly got a warning about my app using vulnerable OpenSSL versions (specifically 1.1.1h).
[✓] Flutter (Channel stable, 3.3.7, on macOS 13.0 22A380 darwin-arm, locale en-NL)
• Flutter version 3.3.7 on channel stable at /Users/_________/Documents/flutter
• Upstream repository https://github.com/flutter/flutter.git
• Framework revision e99c9c7cd9 (7 days ago), 2022-11-01 16:59:00 -0700
• Engine revision 857bd6b74c
• Dart version 2.18.4
• DevTools version 2.15.0
[✓] Android toolchain - develop for Android devices (Android SDK version 33.0.0)
• Android SDK at /Users/_________/Library/Android/sdk
• Platform android-33, build-tools 33.0.0
• Java binary at: /Applications/Android Studio.app/Contents/jre/Contents/Home/bin/java
• Java version OpenJDK Runtime Environment (build 11.0.13+0-b1751.21-8125866)
• All Android licenses accepted.
[✓] Xcode - develop for iOS and macOS (Xcode 14.1)
• Xcode at /Applications/Xcode.app/Contents/Developer
• Build 14B47b
• CocoaPods version 1.11.3
[✓] Android Studio (version 2021.3)
• Android Studio at /Applications/Android Studio.app/Contents
• Flutter plugin can be installed from:
https://plugins.jetbrains.com/plugin/9212-flutter
• Dart plugin can be installed from:
https://plugins.jetbrains.com/plugin/6351-dart
• Java version OpenJDK Runtime Environment (build 11.0.13+0-b1751.21-8125866)
[✓] VS Code (version 1.71.2)
• VS Code at /Applications/Visual Studio Code.app/Contents
• Flutter extension can be installed from:
https://marketplace.visualstudio.com/items?itemName=Dart-Code.flutter
[✓] Connected device (2 available)
• sdk gphone64 arm64 (mobile) • emulator-5554 • android-arm64 • Android 12 (API 31) (emulator)
• iPhone 13 pro (mobile) • 893E06BD-1977-495E-A6E8-A388953D0C13 • ios • com.apple.CoreSimulator.SimRuntime.iOS-16-1 (simulator)
[✓] HTTP Host Availability
• All required HTTP hosts are available
• No issues found!
I went through the packages that were added since the previous release. These were: uni_links, informers, open_store, android_id, package_info_plus, internet_connection_checker, analyzer.
I tried checking which android dependencies use 'OpenSSL' from the unzipped apk, along with checking it in the Flutter SDK itself. This was done using unzip -p app-develop-debug.apk | strings | grep "OpenSSL" and some other scripts that I got from other Stackoverflow issues.
I only got flutter_web_sdk that was using it from the SDK, and libsqlcipher.so binary from the unzipped APK.
I then tried to build the openssl using the newer sources, but it was too convoluted, and just did not work directly with android side of things.
I tried to add
com.bryanherbst.openssl-checker:openssl-checker:1.0.0 and org.owasp:dependency-check-gradle:7.3.0 to my buildscript, hoping that it would point me to the actual package using it (not a binary/header or something). But it did not seem to trigger the checking workflow when running from Flutter.
I tried to upgrade my gradle plugin to 7.4, ext.kotlin_version to '1.7.20', and ndkVersion to '25.1.8937393' (so everything to the latest without breaking the app). I also updated all the dependency-plugins used, to their latest version in android. But upon compiling and checking the APK, references to OpenSSL 1.1.1h were still there.
I do not understand how to get rid of this. How could I find the packages that are using it (I do have quite some outdated packages declared in my pubspec.yaml, but cannot be easily upgraded). And what can I check next, to replace openssl 1.1.1h usage with the next secure version? Or is it a deeper error that would still remain unsolved?