This week i uncovered a nasty problem with Android development. The well known and, almost universally, used library for secure internet connections, openssl is substituted for a different one inside most Android apps - automatically and without your knowledge.

Often even the developer does not know this is the case.

Inside an Android application, these will be identified as and If you put these inside your apk package, they are not used by Android and, instead, it substitutes its own, from out of its back pocket.

Back door? Who knows? Probably not, but it could be one day!

I found this out by accident. My app uses the function TLS_server_method which was in my version of the libraries but not, as it turned out, in Android's. Consequently the app would not start.

Interestingly, the function is present in Android 6.0 (Marshmallow), but was absent from 5.1 (Lollipop).

Regardless of motives, i want my app to use my versions so that i know what's inside - and so should anyone else who's concerned about data security.

The, somewhat hacky, solution was to rename those libraries to be something different so that Android (for the moment) is unable to identify them.

ho hum.

Next Post Previous Post