OpenSSL vulnerability

It seems the new OpenSSL bug isn’t as severe as they were initially thinking. Still, I’d like to check if any of my apps are using vulnerable versions (3.0.0-3.0.6), since I have a lot of them and some haven’t been updated in a while. (I know that’s not great but using Google Play seems like a worse idea)

Is there any simple way to check this on a rooted phone? So far I’ve ruled out Termux (uses OpenSSL 1.x).

Most apps use the SSL stack of your phone. So make sure to run an up-to-date version of Android

2 Likes

That sounds like good news, it seems OpenSSL came out last September and my phone is way older than that :smiley:

Doesn’t that mean that, while you might not be affected by the vulnerability above, you are affected by dozens of other vulnerabilities discovered earlier? I wouldn’t call this “good news”.

s/dozens/hundreds/

1 Like

Probably yeah, but there’s not much I can do about it without wasting another 500-1k$ to buy something that’s going to be equally wide open in a couple of years. It’s also not something I became aware of today, I’m not qualifying it as news.

Besides, I rely a lot on my fairly savage firewall setup and I’m not convinced a newer Android would improve my security without sacrificing privacy in that regard.

fwiw a Pixel 6a has 4.5 years of guaranteed security updates left and is available for $300.

Otherwise see if your device is supported by my DivestOS or official LineageOS.

Hmm … aren’t there are several SSL stacks on Android? Are Java and NDK using the same stack?

Hmm, apparently the NDK cannot link dynamically against the system’s SSL stack, so apps with native code might ship their own SSL stack. There is also the stack shipped through Google Play Services, but F-Droid apps cannot use it because of non-free dependencies. Additionally, apps can also ship their own stack (AntennaPod’s F-Droid version does that, for example). In general, though, I would assume most apps simply use the system’s default stack.

1 Like

Wow, the price really dropped.