Google Play Store rejects apk due to vulnerable version of libpng

1
votes

When I try to publish my app in the Google Play Developer Console I get an error that the used version of libpng is vulnerable.

The vulnerabilities were fixed in libpng v1.0.66, v.1.2.56, v.1.4.19, v1.5.26 or higher. You can find more information about how resolve the issue in this Google Help Center article https://support.google.com/faqs/answer/7011127.

However, I do not need libpng at all so I do not want to upgrade but instead remove it. My app uses OpenCV 2.4.11 and Tesseract (which again comes with leptonica). I recompiled OpenCV and Tesseract after setting the HAVE_LIBPNG flag to false using ndk-build.

When inspecting my apk file there is no libpng in the libraries folder.

Why does Google keep rejecting the app? What else can I do to get the app accepted?

Any ideas are appreciated.

Edit: I have read Android: Removing OpenCV older version will resolve Libpng Vulnerability warning?. I do not want to update to OpenCV 3.1 but simply remove libpng from my App. I am not using it, so a smaller apk would also be a benefit from a simple removal.

1
androidopencvandroid-ndkgoogle-playtesseract
Read this article: stackoverflow.com/questions/37875685/…Stanojkovic
Thank you @Stanojkovic. Already read it, however, I do not want to upgrade OpenCV. I do not use libpng, so an upgrade should not be necessary.Heribert
Shouldn't you be undefining HAVE_PNG rather than defining it to have the value 0/false? (for OpenCV that is. Tessercat might expect you to define HAVE_LIBPNG as 0).Michael
Thank you @Michael for your comment. For Tesseract/Leptonica I set the HAVE_LIBPNG flag to 0. For OpenCV I did not find a HAVE_PNG or HAVE_LIBPNG flag. Is there one? Instead, I removed the liblibpng.a files for all architectures.Heribert
I think there should be one in cvconfig.h. Where/whether that file exists might differ between different OpenCV versions.Michael

1 Answers

1
votes

Ok, so here is what I did:

  • Updated to OpenCV 2.4.13.1 which can be downloaded here.

  • Updated Tesseract (and Leptonica which also comes with tess-two project) to the latest version.

  • Before building Tesseract:

    • set HAVE_LIBPNG to 0 in tess-two/jni/com_googlecode_leptonica_android/config_auto.h
    • renamed Android.mk of tess-two/jni/libpng such that it is not build by include $(call all-subdir-makefiles)
    • removed LIBPNG_PATH from LOCAL_C_INCLUDES in tess-two/jni/com_googlecode_leptonica_android/Android.mk
    • removed libpngt from LOCAL_SHARED_LIBRARIES in tess-two/jni/com_googlecode_leptonica_android/Android.mk
    • removed LIBPNG_PATH from tess-two/jni/Android.mk
  • Removed all System.loadLibrary("pngt") calls from Tesseract's Java files

So to summarize: my outdated version of OpenCV was one issue, but Tesseract also used a vulnerable version of libpng. Even the newer tesseract version I am using now uses this vulnerable version of libpng, so I had to manually exclude it.

If someone knows a better solution than all the points above I am still interested.