> Binary file ./com/google/android/gms/security/ProviderInstaller.class > matches > > Binary file ./com/squareup/okhttp/internal/Platform.class matches > > Binary file ./cz/msebera/android/httpclient/extras/PRNGFixes.class matches > > > Yet, I still can't find from here what version of OpenSSL these classes are > running. Any recommendations on what to do next?
The AOSP script is not intelligent. It only performs string compares. It flagged a couple of my native libs because I was using libcrypto rather than the offending libssl. If its an option, just edit the strings in the initialized data section. Whether its an option depends on whether you are using vulnerable functions. Its OK to edit the strings because the security boundary is the APK/Android app, and the native library is within the boundary. Once the APK verifies, the system deems everything OK. It cannot tell the strings have been modified in the native shared object because there's no signature over it. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
