Hi everybody. I was asked whether my Android application is vulnerable to the most recent OpenSSL vulnerabilities, especially heartbleed and the latest Man-in-the-middle attacks which rely on the client AND the backend being vulnerable: CVE-2014-0224 [1]. CVE-2014-0224 has been fixed in OpenSSL 1.0.1h.
I sometimes transmit sensitive data over SSL to our servers, that's why this topic is important for me. I use the WebView, but also use javax.net.ssl.* to connect to my servers via SSL. I was searching in the web to find out more about how Android establishes an SSL connection in the different Android versions and whether it relies on OpenSSL (and on which version). I did not find a lot discussions so I went into the code a bit. These are my results: Could you please confirm, correct me, or point to places where to find further information: For connections made via Android code via javax.net.ssl.*: * Android uses libcrypto.so and libssl.so * Libssl.so is basically built from OpenSSL, which is committed into the Android source code in platform/external/openssl.git [2] * I don't see the latest CVE-2014-0224 fixes in place here. Still, OpenSSL 1.0.1g is used. Android 4.0.4 : OpenSSL 1.0.0e Android 4.1.1 : OpenSSL 1.0.1c Android 4.1.2 : OpenSSL 1.0.1c (heartbeats disabled) Android 4.2.2 : OpenSSL 1.0.1c Android 4.3 : OpenSSL 1.0.1e Android 4.4.2 : OpenSSL 1.0.1e Android 4.4.3 : OpenSSL 1.0.1e GIT (07.01.14) : OpenSSL 1.0.1f GIT (09.04.14) : OpenSSL 1.0.1g For Chromium WebView (used since Android 4.4): * OpenSSL is checked into the Android source code a second time in platform/external/chromium_org/third_party/openssl [3] * The latest OpenSSL fixes (CVE-2014-0224) have been checked in for Chromium on the 5th of June 2014. [4] For the "Classic" Android Webview: * Does the WebView rely on libssl.so as well? Where is the code for the classic WebView? * Will it still receive security fixes? Can I assume the following: All Android Apps that use the WebView (except if Chromium WebView is used with a version after 5th of June) or use the javax.net.ssl.HttpsConnection are vulnerable to Man-in-the-Middle attacks à la CVE-2014-0224 if such apps connect to a server that is also vulnerable? Help from the community and statements from the Android dev team are very much appreciated. Thanks and best regards, Merlin [1] https://www.openssl.org/news/secadv_20140605.txt [2] https://android.googlesource.com/platform/external/openssl.git/ [3] https://android.googlesource.com/platform/external/chromium_org/third_party/openssl/+/android-4.4.3_r1/openssl/ [4] https://android.googlesource.com/platform/external/chromium_org/third_party/openssl/+/254cbf8d28033e47a3faf8d2a6125d0e45bbea45 -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
