I just found a security alert saying “Your app is using a version of OpenSSL containing a security vulnerability.” and links to this article:

https://support.google.com/faqs/answer/6376725

I did a grep command to find the OpenSSL version that is used in the apk
unzip -p YourApp.apk | strings | grep "OpenSSL"
and I found that the app is using OpenSSL 1.0.1k 8 Jan 2015

The problem is, that I'm not explicitly using any OpenSSL classes and I do not have it in dependencies. So probably some of the other dependencies is using old OpenSSL version, but I do not know, how I can find what library is using OpenSSL dependency. I tried to find which library is using OpenSSL with this command ./../gradlew -q dependencies but there is not any OpenSSL at all..

I had this problem for an app that was using a whole list of dependencies. After much searching for answers, this is what worked for me:

I created script called findopenssl.sh (I found this in another SO answer somewhere but don't have the reference to credit the author - also, change myhomedirectory to whatever is the directory you want to work in, I used my home folder as it just made life easier in the Terminal). This script will identify files in your apk that reference OpenSSL and also those that implement the Heartbeat functions that are considered a security risk):

#!/bin/bash
sslworkdir=“myhomedirectory”
if [ ! -d $sslworkdir ]; then
mkdir $sslworkdir
fi
unzip -q "$1" -d $sslworkdir
#Set delimiter to ignore spaces
IFS=$'\r\n'
#Create an array of OpenSSL version strings
opensslarr=($(egrep --binary-files=text -o -R -e "OpenSSL\s\d+\.\d+\.\d+\w+\s\d+\s\w+\s\d+" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#opensslarr[@]} -gt 0 ]; then
echo "Found OpenSSL versions"
printf "%s\n" "${opensslarr[@]}"
heartbeatarr=($(grep -R -E "(tls1_process_heartbeat|dtls1_process_heartbeat|dtls1_heartbeat|tls1_hearbeat)" $sslworkdir/*))
#Stackoverflow syntax highlight fix closing 'block comment' */
if [ ${#heartbeatarr[@]} -gt 0 ]; then
echo "Files that contains heartbeat methods:"
printf "%s\n" "${heartbeatarr[@]}"
else
echo "No libraries contain heartbeat methods"
fi
else
echo "Did not find OpenSSL"
fi
rm -rf $sslworkdir

I copied my apk to my home directory and ran the script in a Terminal window with:

sh findopenssl.sh myappname.apk

In my case, this identified a library file called libportsip_core.so as having references to an older version of openssl.

I found two versions of libportsip_core.so (armv7 and x86) and deleted both of them. I then cleaned, rebuilt and built my apk again and ran the script again. It was then fine and I submitted successfully to the Play Store.