5

This morning i got a Mail from google's developer console that i'm using a version of OpenSSL that is open to security vulnerabilities.

Actually I'm just maintaining the code and i haven't developer it rather. However, I am supposed to fix this issue.

I would like to know how to update open SSL to the latest supported version in my Android application.

Tried searching a lot, but have not how to do so in an Android application.

This would be a solution for all the developers who got the same Mail this morning.

Thanks in advance.

Zax
  • 2,870
  • 7
  • 52
  • 76
  • 3
    Well, where is your OpenSSL coming from? And how are you using it? For example, if your OpenSSL is coming as part of SQLCipher for Android, just update to the latest SQLCipher for Android distribution. "This would be a solution for all the developers who got the same Mail this morning" -- not really. First, emails about this have been going out for months, as I understand it. Second, the details of replacing a library are often app-specific. – CommonsWare May 08 '15 at 11:07
  • Related: [Google Play OpenSSL warning message](http://stackoverflow.com/q/24197777). – jww May 09 '15 at 08:27
  • @CommonsWare how to know where the OpenSSL coming from? so that i upgrade that library. – M. Usman Khan Oct 03 '20 at 11:43
  • 1
    @M.UsmanKhan: This post is five years old. Hopefully *all* of your libraries are newer than five years old. :-) But, beyond that, I do not know if there is a very easy way to find out, other than to examine each of the AARs (e.g., in your Gradle cache) and see which one(s) have OpenSSL binaries in them. – CommonsWare Oct 03 '20 at 11:47
  • @CommonsWare.Thanks, so what's the procedure to examine one AAR :) – M. Usman Khan Oct 03 '20 at 12:13
  • @CommonsWare In my case "..x86/librealm-jni.so" has old openSSL version. How do i fix this? – M. Usman Khan Oct 04 '20 at 18:38
  • @M.UsmanKhan: If that is from Realm, make sure that you are on the latest version of Realm. If you are already, and Realm is shipping an old OpenSSL version... remove Realm from your app, I guess. – CommonsWare Oct 04 '20 at 18:40

1 Answers1

9

I would like to know how to update open SSL to the latest supported version in my Android application.

  1. Download OpenSSL 1.0.2a from OpenSSL: Source, Tarballs
  2. Cross-compile OpenSSL for Android
  3. Rebuild your app, linking against the cross-compiled library

Note: your shared object must use static linking against OpenSSL (libssl.a and libcrypto.a). You cannot link your shared object against the OpenSSL shared objects. If you link against 1.0.2 shared objects, then Android's Zygote (the parent of all processes), will load its down-level version and your 1.0.2 version will never load.

jww
  • 97,681
  • 90
  • 411
  • 885
  • Thanks for the answer. Any specific command to load the library statically?? or the apk manager will take care of doing so? – Zax May 09 '15 at 14:52
  • @Zax - *"... any specific command to load the library statically"* - no, you build a wrapper shared object that statically links to OpenSSL. Then, your app loads your wrapper shared object. The app then uses JNI to call into the shared object. – jww May 09 '15 at 21:26