Hi Jeff, I think I have a good idea of what you're suggesting to do; but I'm clear on the best way to implement this solution. (I have a few other questions in general; which I will save for the end of the post)
So to clarify; this is my understanding, on a higher level, of what I should be doing. 1) The strategy is to use the sed command to replace any binaries with vulnerable versions of OpenSSL to either --> - 1.0.1h, - 1.0.0m, - 0.9.8za 2) The sed commands will recursively search through all the strings in the binary files within the application and the aar, jar & JNI linked native libraries and replace the OpenSSL .so native libs; inside the binaries themselves. Here are my questions about implementing this strategy 1) Should I be running the sed command on the final unzipped .apk file? If so, should I build the .apk without minify, zipalign & proguard so that the sed command will work properly? Alternatively, could On Monday, September 28, 2015 at 4:33:05 PM UTC-4, Jeffrey Walton wrote: > > > Binary file ./com/google/android/gms/security/ProviderInstaller.class > > matches > > > > Binary file ./com/squareup/okhttp/internal/Platform.class matches > > > > Binary file ./cz/msebera/android/httpclient/extras/PRNGFixes.class > matches > > > > > > Yet, I still can't find from here what version of OpenSSL these classes > are > > running. Any recommendations on what to do next? > > The AOSP script is not intelligent. It only performs string compares. > It flagged a couple of my native libs because I was using libcrypto > rather than the offending libssl. > > If its an option, just edit the strings in the initialized data > section. Whether its an option depends on whether you are using > vulnerable functions. > > Its OK to edit the strings because the security boundary is the > APK/Android app, and the native library is within the boundary. Once > the APK verifies, the system deems everything OK. It cannot tell the > strings have been modified in the native shared object because there's > no signature over it. > > Jeff > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
