Google’s Android M is currently in preview stage and developers are busy testing this mobile OS. The latest Android version is expected to roll out this September. The third developer preview of Android, a nearly completed preview, was set to come few days ago but Google delayed it. Apart from this development, SourceDNA, a code transparency and analytics service provider has found a flaw in thousands of Android apps that will possibly crash these apps in Android M. SourceDNA has scanned the Google Play Store and looked for the apps that need fixing. The root cause of this problem points towards Google’s recent move from OpenSSL to BoringSSL. The BoringSSL library provided a cleanup ofOpenSSL by removing lots of complicated functionality and flaws like Heartbleed. So, the future release will cause the app to crash if it links against the platform libraries.
Google has never included OpenSSL in its official Android NDK, so Google can perform this SSL change anytime without affecting apps. It should be noted that some app developers have linked their app code against a private Android API, and it’s a recipe for disaster.
So, an app will crash if it links to your phone’s libcrypto.so or libssl.so libraries. This crash will be at the dynamic linker level and it’s possible that crash reporters like ACRA or Crashlytics can detect the problem.
How to fix the OpenSSL/BoringSSL flaw in apps for Android M?
SourceDNA mentions two methods to take care of the flaw:
1. Include the libcrypto and/or libssl.so libraries in your app APK. You can do this directly or statically link your native code with OpenSSL or any other library.
2. Use JNI from your app code to call into the Java crypto API.
Apart from the reporting of the flaw, SourceDNA has written about its own product named Searchlight. It aims to provide alerts for flaws by analysing the apps. If you develop Android or iOS apps, you can register for Searchlight to get notifications if your apps have flaws like this. Did you find this story helpful? Tell us in comments below.
For more updates and interesting stories, subscribe to SPRtech newsletter.
