All

Thousands of Apps Will Crash When Android M Goes Live, Here’s Why

Thousands of Apps Will Crash When Android M Goes Live, Here’s Why


android-robot-sign-234
SPR: A flaw has been reported in thousands of Android apps that will crash them when Android M goes live. The problem lies in Google’s shift from OpenSSL to BoringSSL and the ignorance of app developers towards the linking guidelines.
Google’s Android M is currently in preview stage and developers are busy testing this mobile OS. The latest Android version is expected to roll out this September. The third developer preview of Android, a nearly completed preview, was set to come few days ago but Google delayed it. Apart from this development, SourceDNA, a code transparency and analytics service provider has found a flaw in thousands of Android apps that will possibly crash these apps in Android M.

SourceDNA has scanned the Google Play Store and looked for the apps that need fixing. The root cause of this problem points towards Google’s recent move from OpenSSL to BoringSSL. The BoringSSL library provided a cleanup ofOpenSSL by removing lots of complicated functionality and flaws like Heartbleed. So, the future release will cause the app to crash if it links against the platform libraries.
Google has never included OpenSSL in its official Android NDK, so Google can perform this SSL change anytime without affecting apps. It should be noted that some app developers have linked their app code against a private Android API, and it’s a recipe for disaster.
So, an app will crash if it links to your phone’s libcrypto.so or libssl.so libraries. This crash will be at the dynamic linker level and it’s possible that crash reporters like ACRA or Crashlytics can detect the problem.

How to fix the OpenSSL/BoringSSL flaw in apps for Android M?

SourceDNA mentions two methods to take care of the flaw:
1. Include the libcrypto and/or libssl.so libraries in your app APK. You can do this directly or statically link your native code with OpenSSL or any other library.
2. Use JNI from your app code to call into the Java crypto API.
Apart from the reporting of the flaw, SourceDNA has written about its own product named Searchlight. It aims to provide alerts for flaws by analysing the apps. If you develop Android or iOS apps, you can register for Searchlight to get notifications if your apps have flaws like this.
Did you find this story helpful? Tell us in comments below.
For more updates and interesting stories, subscribe to SPRtech newsletter.
Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close
Close

AdBlocker Detected

Advertisements generate huge chunks of revenues for websites and online businesses. Ad-blocker and tracker blocking programs have gained momentum in the last few years with massive debates raging on privacy concerns and improving user experience online. Acceptable Ads programme and Anti Ad-blockers are primary elements emerging in recent years that combat ad-blockers. In this paper, we discuss at length data collection of top websites in the world, Germany, DACH region and news category. We generate feature based A/B testing metrics and employ classifier evaluations on them along with then analysing the result. Our paper also discusses how Anti Ad-blockers impact the economic, legal and ethical usage in Germany along with the recent changes in GDPR while taking a look at Acceptable ads programme and Whitelisting.
%d bloggers like this: