I have an app built with Qt for Android. The app is shipped with a custom built openssl version. This works on most devices, however, on a couple of devices it crashes as soon as an https request is done.
One example is the SAMSUNG-SM-G930AZ, API Level 26 (Android 8.0).
It produces the following trace when crashing.
backtrace:
#00 pc 00000000000667c4 /system/lib64/libc.so (strcasecmp+8)
#01 pc 000000000023ddd0 /system/lib64/libandroid_runtime.so (EVP_get_cipherbyname+24)
#02 pc 000000000003a5f0 /data/app/ch.opengis.qfield_beta-ojJ20GzjLOx-tvpq9AD27A==/lib/arm64/libssl_1_1.so (offset 0x29000)
I downloaded the libandroid_runtime.so file from this device where it lists the mentioned symbol
readelf -Ws libandroid_runtime.so | grep EVP_get_cipherbyname
3593: 000000000023dd78 336 FUNC GLOBAL DEFAULT 12 EVP_get_cipherbyname
On another (not crashing SM-T580, Android 8.1) this is not the case
readelf -Ws /tmp/libandroid_runtime.so | grep EVP_get_cipherbyname
This symbol is also in libcrypto_1_1.so which is shipped with the app. I assume this collision is responsible for the crash.
In the Android docs the following NDK change was done with Android 7:
In order to reduce the impact that this restriction may have on currently released apps, a set of libraries that see significant use—such as
libandroid_runtime.so, [...] — are temporarily accessible on Android 7.0 (API level 24) for apps targeting API level 23 or lower.
The app targets API level 29, so I assume this library should not be available to this app.
How can this crash be avoided?
Can it be prevented from loading libandroid_runtime.so or can openssl be compiled with specific flags or is a completely different approach required?
