September, 2015 is when the launch of BoringSSL, is declared to be with Android M, by Google in I/O. However, the understanding and analysis of the kind of changes BoringSSL will bring for existing Android mobile apps are already spreading. It is expected to bring death news for the current apps on Android.
Google developed their own fork of OpenSSL, that is BoringSSL. Till now OpenSSL was the cryptography library, being used widely. But the Heartbleed vulnerability made everyone to think. Following the attention, Android decided to move from OpenSSL to BoringSSL in the AOSP.
WWDC has left a lot to look forward to but before that came Google-hosted I/O, with the news of BoringSSL and predictions associated with it. Here are the changes that the shift from OpenSSL to BoringSSL will bring.
- After the incident of Heartbleed, Google made sure such incidents do not happen. And therefore comes the move from OpenSSL to BoringSSL.
- Once Android M comes into the picture, all the apps that haven’t affiliated themselves to BoringSSL, will crash and will not work on the new android version.
- With OpenSSL, one could choose which security systems or levels do they want to use and which not. That could bring about the leaks like Heartbleed and it did.
- With BoringSSL, the security systems are fixed and they can not be opted out of. This makes a strong security layer.
While the BoringSSL is a good sign for the users, making sure their data remains secure at all costs, it produces a difficult time for the apps that are running freely under the rule of OpenSSL.
Why Android M release may cause crashing of Android Apps?
So if your apps are mistakenly linking to the old cryptography library (libcrypto.so or libssl.so), which is not a part of Android NDK API, it is likely to crash in the new OS, Android M.
So it’s time to modify your native code
What’s the Fix?
- “Include the libssl.so and/or libcrypto.so libraries in your APK. You can include these files directly or statically link your native code with OpenSSL or another crypto library.”
- “Use JNI from your native code to call into the Java crypto API.”
These two methods are given by SourceDNA and cited by ProgrammableWeb.
SourceDNA has its own product named Searchlight. Registration to this will alert you if your app is one of those thousands to crash when Android M gets launched or will survive after all. Searchlight also suggests how to make the app survive and mentions a few changes in the code as BoringSSL mentions (http://bit.ly/1KNntxS).
While Android M and BoringSSL combined do pose issues for the mobile app industry, it is also a consolation for smartphone and app users, making sure their data doesn’t leak and proper security is maintained. This is an opportunity in one way, wherein you can standardize your app.
While this news is making you get up from your seats and pace around the room, in the worry for your app, we are here to provide you with the solution. Whichever the app, wherever it has been made; we can make it Android M and BoringSSL friendly. Don’t let your app get killed ruthlessly. Update it now!