5

This morning i got a Mail from google's developer console that i'm using a version of OpenSSL that is open to security vulnerabilities.

Actually I'm just maintaining the code and i haven't developer it rather. However, I am supposed to fix this issue.

I would like to know how to update open SSL to the latest supported version in my Android application.

Tried searching a lot, but have not how to do so in an Android application.

This would be a solution for all the developers who got the same Mail this morning.

Thanks in advance.

Improve this question
7
  • 3
    Well, where is your OpenSSL coming from? And how are you using it? For example, if your OpenSSL is coming as part of SQLCipher for Android, just update to the latest SQLCipher for Android distribution. "This would be a solution for all the developers who got the same Mail this morning" -- not really. First, emails about this have been going out for months, as I understand it. Second, the details of replacing a library are often app-specific. Commented May 8, 2015 at 11:07
  • Related: Google Play OpenSSL warning message. Commented May 9, 2015 at 8:27
  • @CommonsWare how to know where the OpenSSL coming from? so that i upgrade that library. Commented Oct 3, 2020 at 11:43
  • 1
    @M.UsmanKhan: This post is five years old. Hopefully all of your libraries are newer than five years old. :-) But, beyond that, I do not know if there is a very easy way to find out, other than to examine each of the AARs (e.g., in your Gradle cache) and see which one(s) have OpenSSL binaries in them. Commented Oct 3, 2020 at 11:47
  • @CommonsWare.Thanks, so what's the procedure to examine one AAR :) Commented Oct 3, 2020 at 12:13

1 Answer 1

Reset to default
9

I would like to know how to update open SSL to the latest supported version in my Android application.

  1. Download OpenSSL 1.0.2a from OpenSSL: Source, Tarballs
  2. Cross-compile OpenSSL for Android
  3. Rebuild your app, linking against the cross-compiled library

Note: your shared object must use static linking against OpenSSL (libssl.a and libcrypto.a). You cannot link your shared object against the OpenSSL shared objects. If you link against 1.0.2 shared objects, then Android's Zygote (the parent of all processes), will load its down-level version and your 1.0.2 version will never load.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for the answer. Any specific command to load the library statically?? or the apk manager will take care of doing so?
@Zax - "... any specific command to load the library statically" - no, you build a wrapper shared object that statically links to OpenSSL. Then, your app loads your wrapper shared object. The app then uses JNI to call into the shared object.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.