I had this problem for an app that was using a whole list of dependencies. After much searching for answers, this is what worked for me:
I created script called findopenssl.sh (I found this in another SO answer somewhere but don't have the reference to credit the author - also, change myhomedirectory to whatever is the directory you want to work in, I used my home folder as it just made life easier in the Terminal). This script will identify files in your apk that reference OpenSSL and also those that implement the Heartbeat functions that are considered a security risk):
#!/bin/bash
sslworkdir=“myhomedirectory”
if [ ! -d $sslworkdir ]; then
mkdir $sslworkdir
fi
unzip -q "$1" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'\r\n'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSL\s\d+\.\d+\.\d+\w+\s\d+\s\w+\s\d+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
echo "Found OpenSSL versions"
printf "%s\n" "${opensslarr[@]}"
heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#heartbeatarr[@]} -gt 0 ]; then
echo "Files that contains heartbeat methods:"
printf "%s\n" "${heartbeatarr[@]}"
else
echo "No libraries contain heartbeat methods"
fi
else
echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir
I copied my apk to my home directory and ran the script in a Terminal window with:
sh findopenssl.sh myappname.apk
In my case, this identified a library file called libportsip_core.so as having references to an older version of openssl.
I found two versions of libportsip_core.so (armv7 and x86) and deleted both of them. I then cleaned, rebuilt and built my apk again and ran the script again. It was then fine and I submitted successfully to the Play Store.
