" I know that Android is based a lot around Java, and because of the recently discovered Log4J vulnerability, I’ve been hesitant to use anything that relies on Java unless it’s been recently updated.
Is Log4J even something I have to worry about on Android? If so, how can I tell if an app is using a vulnerable version? "
Also the Class loader in Android needs special DEX compiled classes and doesn’t support loading classes from remote locations like the standard java Class loader. It can only load classes from the local filesystem where the app has access to.
I’ve checked the mentioned libaries. None of them contain the vulnerabe log4j-core.jar.
The commons-logging is only an abstraction which can use log4j when found on the classpath.
The epublib libraries contain only a log4j.properties file, this is a configuration file for log4j, but not the log4j-core classes itself.