SourceDNA, a code transparency and analytics service provider, has reported a flaw in thousands of apps that will likely cause a crash when Android M goes live. Google recently announced the move from OpenSSL to BoringSSL, which lies at the heart of the problem with so many apps across the Google Play Store. With the announcement, Google advised that future platform releases might cause an app to crash if the app links against platform libraries. Android M, expected to arrive in September, marks the next release that SourceDNA anticipates might precipitate a massive crash among the Android app community.
While Google has never included OpenSSL in the official Android NDK, many developers follow guides that instruct developers to retrieve libraries from the device and link against the device. In the OpenSSL environment, such practice had no negative effects. However, when Android M goes live, problems will ensue, SourceDNA says. For example, an app that links against a phone's libcrypto.so or libssl.so will crash on Android M, according to SourceDNA. The crash will occur at the dynamic level. Accordingly, crash reporters (e.g., Crashlytics, ACRA) might not log the problem. Negative user feedback might serve as the only indication that the issue exists.
SourceDNA offers two methods to fix the problem:
- "Include the libssl.so and/or libcrypto.so libraries in your APK. You can include these files directly or statically link your native code with OpenSSL or another crypto library."
- "Use JNI from your native code to call into the Java crypto API."
SourceDNA uncovered the flaw using its own product, Searchlight. Searchlight provides deep analysis and monitoring for apps and alerts app owners of security flaws and suggests methods to improve code. A Searchlight registration will alert you if your app is one of the thousands vulnerable to the Android M crash. Check out Searchlight to learn more or consider adjusting your app as SourceDNA suggests prior to the Android M release.