Android M is currently in its preview stage and Google’s developers are busy testing the mobile OS. The expected date for this latest Android version is fast approaching and should be rolling out sometime in September. The third instalment of the developer preview of Android; an almost finished preview, was set to arrive a few days ago but Google delayed it.
Apart from this latest development, SourceDNA, a code transparency and analytics service provider has found a major flaw in thousands of Android apps that will possibly crash in Android M.
SourceDNA have scanned the Google Play Store and looked for apps that need fixing. The root cause of this problem points towards Google’s recent move from OpenSSL to BoringSSL. The BoringSSL library provided a cleanup of OpenSSL by removing lots of complicated functionality and flaws like Heartbleed. So, the future release will cause the app to crash if it links against the platform libraries.
Google has never included OpenSSL in its official Android NDK (developer’s toolkit), so Google can perform this SSL change anytime without affecting apps. It is also worth bearing in mind that some app developers have linked their app code against a private Android API, and it’s a recipe for disaster.
So, an app will crash if it links to your phone’s libcrypto.so or libssl.so libraries. This crash will be at the dynamic linker level and it’s possible that crash reporters like ACRA or Crashlytics can detect the problem.
How to fix the OpenSSL/BoringSSL flaw in apps for Android M?
SourceDNA mentions two methods to take care of the flaw:
[NB: This solution is shared third-party by the Gadget Helpline and is performed at user discretion. We suggest only following these steps if confident you know what you are doing.]
- Include the libcrypto and/or libssl.so libraries in your app APK. You can do this directly or statically link your native code with OpenSSL or any other library.
- Use JNI from your app code to call into the Java crypto API.