Short Bytes: A flaw has been reported in thousands of Android apps that will crash them when Android M goes live. The problem lies in Google’s shift from OpenSSL to BoringSSL and the ignorance of app developers towards the linking guidelines.
SourceDNA has scanned the Google Play Store and looked for the apps that need fixing. The root cause of this problem points towards Google’s recent move from OpenSSL to BoringSSL. The BoringSSL library provided a cleanup of OpenSSL by removing lots of complicated functionality and flaws like Heartbleed. So, the future release will cause the app to crash if it links against the platform libraries.
Google has never included OpenSSL in its official Android NDK, so Google can perform this SSL change anytime without affecting apps. It should be noted that some app developers have linked their app code against a private Android API, and it’s a recipe for disaster.
So, an app will crash if it links to your phone’s libcrypto.so or libssl.so libraries. This crash will be at the dynamic linker level and it’s possible that crash reporters like ACRA or Crashlytics can detect the problem.
How to fix the OpenSSL/BoringSSL flaw in apps for Android M?
SourceDNA mentions two methods to take care of the flaw:
1. Include the libcrypto and/or libssl.so libraries in your app APK. You can do this directly or statically link your native code with OpenSSL or any other library.
2. Use JNI from your app code to call into the Java crypto API.
Apart from the reporting of the flaw, SourceDNA has written about its own product named Searchlight. It aims to provide alerts for flaws by analysing the apps. If you develop Android or iOS apps, you can register for Searchlight to get notifications if your apps have flaws like this.
Did you find this story helpful? Tell us in comments below.
For more updates and interesting stories, subscribe to fossBytes newsletter. [newsletter_signup_form id=1]